Users being randomly demoted to Subscriber/initial role

Aloha, can you confirm that the user entries in the Authorizer Approved List show the correct role? In the past we’ve had an issue where changing the role in the WordPress UI did not properly sync to the Authorizer Approved List, so Authorizer was changing the role to what it had listed when the user logged in.

If all looks good there, then any other details you can provide would be helpful.

1. Where in the WordPress dashboard did you change roles (via bulk actions on the user list page, editing the individual user profile, or the dropdown on the Authorizer Approved list are the 3 methods we are aware of)?
2. Is this only affecting multisite users that also have capabilities on another site in the network, or all users?
3. Does it happen when the user first logs into the new site, or on subsequent logins?
4. Do you know if the users were hitting the /wp-login.php endpoint of the new subsite, or some other subsite, or the main site?

One other thought is that the Authorizer Approved List is stored in a single option in the wp_options table, so there’s the possibility of concurrency if you have a lot of users and you are updating a lot of user roles at once.

Thanks for your response!

In the past we’ve had an issue where changing the role in the WordPress UI did not properly sync to the Authorizer Approved List, so Authorizer was changing the role to what it had listed when the user logged in.

That sounds like it would describe our situation pretty well – I wonder if that’s what’s happening? The roles are currently correct in Authorizor compared to the WP UI. If we should simply avoid making role changes with the WP user UI, I can live with that as a solution for now.

1. Where in the WordPress dashboard did you change roles (via bulk actions on the user list page, editing the individual user profile, or the dropdown on the Authorizer Approved list are the 3 methods we are aware of)?

WordPress UI, using bulk actions

2. Is this only affecting multisite users that also have capabilities on another site in the network, or all users?

Yes, all affected users are multisite users who previously had capabilities elsewhere

3. Does it happen when the user first logs into the new site, or on subsequent logins?

I can say that in at least one case, a user had the correct role, logged in, did actions in that role, and then when coming back to the site later, had lost that role and was demoted to a subscriber, and that the preceding scenario happened to them twice. With other users who were demoted, I don’t know if they successfully performed actions before later losing their role.

4. Do you know if the users were hitting the /wp-login.php endpoint of the new subsite, or some other subsite, or the main site?

Probably the login page of their subsite, but we don’t know

• This reply was modified 3 years, 7 months ago by lizardzone. Reason: fixed blockquotes

Thanks for the details. We fixed an issue with bulk action role changes not syncing in version 3.0.10 (released May 2021), can you confirm you’re on that version or newer?

We will poke around and see if we can reproduce, but right now nothing is jumping out at me.

Yup, we are on 3.1.2

One other thought that occurred to me: do you have any custom caching plugins or something like varnish on the server? Just wondering if the old role got cached somewhere.

Also, does the multisite have any custom roles defined on some subsites, but not others?

We’re still looking around!

We use W3C Total Cache for page-level caching for non-logged-in visitors.

No custom roles involved in this particular scenario. We have one custom role which has been used for a few users on another child site. None of those users or roles or sites intersect with the sites where we’ve experienced this problem.

Thanks for the details. Let us know if you think of any other relevant data (you can send it via DM in WordPress Slack if needed).

We’ll continue to investigate!