User roles being “rolled” back

Thanks! We’ve had one similar report from our institution but we were never able to get a concrete answer. We ultimately blamed it on a very large multisite with a low mysql max_allowed_packet corrupting the list of approved Authorizer users and their roles when it was updated. So that’s one thing to check.

The extra details about the failed logins give us another data point to look into. I’ll let you know if we have any follow up questions, thanks again for offering to help debug.

One other side comment with regards to the Members plugin: the role setting functionality in Authorizer expects a single role to be assigned, so it may occasionally conflict with multiple assigned roles assigned from another plugin. We’re still waiting for the core WordPress set_role() function to support multiple roles to get around this. https://developer.www.ads-software.com/reference/classes/wp_user/set_role/

Well, one of those users (the one who is supposed to be an Editor and keeps getting set back to Subscriber) had his permissions rolled back again today, without the failed login, so I guess that’s a red herring.

Not to be a downer about it, but I’m about to have to implement some new MFA requirements coming from waaaay above my pay grade, that may move us to a new authentication plugin. I’ll be sad, because this has been a genuinely useful tool for me for a long time, but it may solve my particular local problems.

At this point, the rollback is happening every time for this one user. (Don’t know if the other user is active or not, honestly.)

Looking at the [mydbprefix and site number]_fa_user_logins table, I’m seeing this user has ‘old_role’ = subscriber. If I were to edit that by hand to editor…..? I always hate to do that sort of thing without knowing if I’m breaking something else…..

Do you know which plugin creates the wp_x_fa_user_logins_table? It’s not Authorizer. If you want to see what role Authorizer thinks the user should be, check the auth_settings_access_users_approved option in wp_options (or wp_x_options for a specific subsite). It’s a serialized array so a little hard to inspect, but I’m wondering if it’s grown so large that it’s not properly being updated when you make a role change from the Approved User list in the admin dashboard.

YES, okay, I see the user and when I run the data through unserialize, this is what I have:

16 =>
array (
'email' => '[user email]',
'role' => 'subscriber',
'date_added' => '2024-01-04 17:40:21',
),

There are 16 entries for this particular subsite.

I looked at the approved users for this subsite in the Authorizer admin tab, and it shows this user as being approved as an editor.

The fa_prefix refered to the User Login History plugin, which honestly I had forgotten I had running. (Sometimes the chainsaws that I’m juggling hit the ground. *sigh* At least I tend to default to “more security” rather than less.) I have disabled it because I have other logging enabled that makes it redundant. I’ll let you know if this seems to have changed anything.

Meanwhile, my other user on the other multisite network logged in this afternoon, and her permissions had been rolled back, too.

I hear ya with the chainsaws ??

Ok so we should definitely investigate why the database has the user role at subscriber but the UI shows editor. Two things I can think of at the moment:

1. The user has a “multisite approved user” entry (from Network Settings) and an approved user entry on the specific subsite, and they disagree (although Authorizer is supposed to detect duplicates here)
2. The user has two separate accounts, perhaps one linked by username and another linked by email

Can you look in the database again and see if you can find any entry for this user with editor role? Besides the auth_settings_access_users_approved in the options table you’ve already inspected, the multisite approved users are stored in wp_options with name auth_multisite_settings_access_users_approved.

No, neither of them have two accounts, and neither of them are in the multisite approved users.

The person who keeps toggling back to “researcher” from “researcher_admin” + “editor” is set to “researcher” in the auth_settings_access_users_approved, which is expected from the perspective of that being what she keeps getting reset to, but that is NOT the default setting for that site. The default setting is “subscriber”; she started out there and at some point the system accepted and saved the change in her role to “researcher.” (This would have been relatively recent — within maybe the last three months?) At some point since then it stopped saving changes. (On TWO separate multisite networks, no less.) In both of these cases, these are relatively new users and recent role changes. People who’ve been around longer have their settings established. Something changed between point A and point B. ??

I’m going to play around with some placeholder accounts and see if I can replicate this thing. It’ll be a lot easier to experiment if I’m not waiting for a user to log in.

I’ll update here if I find anything.

This feels like a conflict with your other plugin that’s providing multiple roles. As mentioned above, the core function set_role() doesn’t handle multiple roles. So when the user successfully logs in, Authorizer checks to make sure their role matches what is in the Approved list, and if it doesn’t match, it uses set_role() to update their role

https://github.com/uhm-coe/authorizer/blob/master/src/authorizer/class-authorization.php#L391-L394

It’s probably only affecting users whose role in the Approved list is not in any of their assigned roles (so in your example, assigned is researcher_admin + editor but the entry in the Approved list is researcher). So I think a quick fix is making sure their Approved list role is either researcher_admin or editor, then Authorizer won’t try to update their role.

Yes, I think we’re on the right track, here. I just updated both users to “editor” on their respective sites through the approved users interface for Authorizer INSTEAD of changing their roles through their individual profile interfaces. The database entries for auth_settings_access_users_approved are now showing “editor.”

We’ll see if the one user also retains the custom role of researcher_admin!