Bug#1140116: Acknowledgement (wordpress: Multisite Add User fatals with “Skip Confirmation Email”)

Thu, 25 Jun 2026 03:21:24 -0700 

> For the current error, try changing thing["item"] to thing->item

Changing thing["item"] to thing->item did get past the initial error,
but unearth other problems with that code path in general for the
debian patch "38474.patch". 

I actually have a reasonably full patch (attached) that is looking
quite robust. I was hoping to also attach a sane and readable list of
some wpcli based tests before I submitted the patch but I haven't got
those together yet....


Adrian



Description: Avoid fatal error when adding a multisite user without confirmation
 The multisite Add User screen assumes that the user creation result is an
 array containing a user_id. In some paths the underlying function returns a
 scalar user ID instead, causing an attempt to access an array offset on an
 integer.
 .
 Normalise or validate the result before using it so that the Skip
 Confirmation Email path completes without a fatal error.
Author: Adrian O'Grady <[email protected]>
Bug-Debian: https://bugs.debian.org/1140116
Forwarded: no
Last-Update: 2026-06-16


Index: wordpress-6.9.4+dfsg1/wp-admin/user-new.php
===================================================================
--- wordpress-6.9.4+dfsg1.orig/wp-admin/user-new.php
+++ wordpress-6.9.4+dfsg1/wp-admin/user-new.php
@@ -230,7 +230,7 @@ Please click the following link to confi
 
 			wp_ensure_editable_role( $_REQUEST['role'] );
 
-			wpmu_signup_user(
+			$signup = wpmu_signup_user(
 				$new_user_login,
 				$new_user_email,
 				array(
@@ -239,9 +239,20 @@ Please click the following link to confi
 				)
 			);
 
-			if ( isset( $_POST['noconfirmation'] ) && current_user_can( 'manage_network_users' ) ) {
-                $row = $wpdb->get_row( $wpdb->prepare( "SELECT activation_key, signup_id FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $new_user_email ) );
-                $new_user = wpmu_activate_signup( $row['activation_key'], $row['signup_id'] );
+#			if ( isset( $_POST['noconfirmation'] ) && current_user_can( 'manage_network_users' ) ) {
+#                $row = $wpdb->get_row( $wpdb->prepare( "SELECT activation_key, signup_id FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $new_user_email ) );
+#                $new_user = wpmu_activate_signup( $row['activation_key'], $row['signup_id'] );
+
+			if ( is_wp_error( $signup ) ) {
+				$add_user_errors = $signup;
+			} elseif (
+				isset( $_POST['noconfirmation'] )
+				&& current_user_can( 'manage_network_users' )
+			) {
+				$new_user = wpmu_activate_signup(
+					$signup['key'],
+					$signup['signup_id']
+				);
 				if ( is_wp_error( $new_user ) ) {
 					$redirect = add_query_arg( array( 'update' => 'addnoconfirmation' ), 'user-new.php' );
 				} elseif ( ! is_user_member_of_blog( $new_user['user_id'] ) ) {
Index: wordpress-6.9.4+dfsg1/wp-includes/ms-functions.php
===================================================================
--- wordpress-6.9.4+dfsg1.orig/wp-includes/ms-functions.php
+++ wordpress-6.9.4+dfsg1/wp-includes/ms-functions.php
@@ -904,7 +904,7 @@ function wpmu_signup_user( $user, $user_
 	 */
 	$meta = apply_filters( 'signup_user_meta', $meta, $user, $user_email, $key, $hashed );
 
-	$wpdb->insert(
+	$inserted = $wpdb->insert(
 		$wpdb->signups,
 		array(
 			'domain'         => '',
@@ -918,6 +918,18 @@ function wpmu_signup_user( $user, $user_
 		)
 	);
 
+
+	if ( false === $inserted ) {
+		return new WP_Error(
+			'could_not_create_signup',
+			__( 'The user signup could not be created.' )
+		);
+	}
+
+	$signup_id = (int) $wpdb->insert_id;
+
+
+
 	/**
 	 * Fires after a user's signup information has been written to the database.
 	 *
@@ -930,7 +942,12 @@ function wpmu_signup_user( $user, $user_
      * @param int    $signup_id  Signup ID.
      * @param string $hashed     The user's hashed activation key.
 	 */
-	do_action( 'after_signup_user', $user, $user_email, $key, $meta, $wpdb->insert_id, $hashed );
+	do_action( 'after_signup_user', $user, $user_email, $key, $meta, $signup_id, $hashed );
+	return array(
+		'key'            => $key,
+		'activation_key' => $hashed,
+		'signup_id'      => $signup_id,
+	);
 }
 
 /**
@@ -1295,7 +1312,9 @@ function wpmu_activate_signup(
 				'active'    => 1,
 				'activated' => $now,
 			),
-			array( 'activation_key' => $key )
+			#array( 'activation_key' => $key )
+			array( 'signup_id' => $signup->signup_id )
+
 		);
 
 		if ( isset( $user_already_exists ) ) {
@@ -1337,7 +1356,8 @@ function wpmu_activate_signup(
 					'active'    => 1,
 					'activated' => $now,
 				),
-				array( 'activation_key' => $key )
+				#array( 'activation_key' => $key )
+				array( 'signup_id' => $signup->signup_id )
 			);
 		}
 		return $blog_id;
@@ -1349,7 +1369,8 @@ function wpmu_activate_signup(
 			'active'    => 1,
 			'activated' => $now,
 		),
-		array( 'activation_key' => $key )
+		#array( 'activation_key' => $key )
+		array( 'signup_id' => $signup->signup_id )
 	);
 
 	/**

Reply via email to