Author templates display all users on a multisite network, even if the user is not a member of a specific blog

[chellycat]

When loading an author template, WordPress should check against current users. If the author isn't valid, load 404 template.

If it's a multisite, WordPress should check the passed author slug against current users of the blog -- not all registered users of the network.

To replicate the issue, do the following:

1. Create a WordPress multisite environment.
2. Create a test blog and at least two users (User A and User B).
3. Add User A to your test blog.
4. In your browser's URL bar, type ​http://yourtestblogurl.com/author/userb
5. Observe how user User B's profile information appears on the author page, even though User B is not a user of that specific blog.

Again, the ideal solution when loading author templates for a multisite network would be to check to see if a user is a current member of a given blog (and not the entire network).

[scribu]

Confirmed. get_user_by() used in WP_Query doesn't check if the author has a role on the current blog.

[scribu]

Note that if the user has no posts (which they shouldn't), the 404 template is loaded, as expected.

[scribu]

Given that when you remove a user from a blog, you're asked what to do with their posts, I'm not sure we should try to fix this.

[DrewAPicture]

Replying to scribu:

Given that when you remove a user from a blog, you're asked what to do with their posts, I'm not sure we should try to fix this.

Just a couple of questions:

• Do posts from other sites also show on said author archives?

• If a user is a member of multiple sites and you reassign their posts, what is the current behavior? Do they get reassigned to a single user and a single site?

Assuming posts should remain exclusive to sites, shouldn't we focus on maintaining that exclusivity when posts are reassigned? That may be enough for a new ticket depending on the current behavior.

Regardless, if I have multiple sites in MU, I don't necessarily want users from one site showing on other sites' author archives.

[SergeyBiryukov]

Replying to scribu:

Given that when you remove a user from a blog, you're asked what to do with their posts

Not in Multisite: #15855

[scribu]

Replying to DrewAPicture:

• Do posts from other sites also show on said author archives?

Never.

• If a user is a member of multiple sites and you reassign their posts, what is the current behavior? Do they get reassigned to a single user and a single site?

Posts can only have a single author. Posts never get moved between sites.

Regardless, if I have multiple sites in MU, I don't necessarily want users from one site showing on other sites' author archives.

The idea is that you'll get a 404 anyway, since under normal conditions, you won't have any posts assigned to users that have no role on the current site. I.e. we should focus on fixing #15855

[mfields]

Replying to scribu:

Note that if the user has no posts (which they shouldn't), the 404 template is loaded, as expected.

On a fresh, local multisite installation I did the following:

• Created new site.
• Created a new user.
• I did not add the user to the site.
• Requested the author archive for the new user on the new site.

At this point, Twenty Eleven loads author.php but displays the following no post found message: Nothing Found: Apologies, but no results were found for the requested archive. Perhaps searching will help find a related post.

Basically, author.php gets loaded if the author exists on the network regardless of whether they are associated with the site. I believe that a better solution would be for core to serve the 404 template in such instances bypassing author.php altogether.

[SergeyBiryukov]

#20601 has a patch.