Skip to content

fix: render inactive-user badge without mutating WP_User#110

Open
sjinks wants to merge 1 commit into
productionfrom
pltfrm-2468-inactive-badge-user-login-corruption
Open

fix: render inactive-user badge without mutating WP_User#110
sjinks wants to merge 1 commit into
productionfrom
pltfrm-2468-inactive-badge-user-login-corruption

Conversation

@sjinks

@sjinks sjinks commented Jun 13, 2026

Copy link
Copy Markdown
Member

Description

The Users list "Inactive User" / "Blocked: Inactivity" badge was being appended directly to WP_User->user_login for every inactive item in $wp_list_table->items, on the admin_head-users.php / admin_head-users-network.php actions.

Those WP_User objects are shared by reference and are passed to the user_row_actions filter while WordPress renders each row. Any consumer that reads $user_object->user_login there received the badge HTML appended to the login instead of the real value. Co-Authors Plus looks up a linked guest author by an exact user_login match, so linked inactive users were shown its "Create Profile" action instead of "Edit Profile" (the linked-account lookup no longer matched).

This change renders the badge at the output layer instead of mutating the model object:

  • modify_users_list_table_items() no longer touches WP_User. It collects the IDs of inactive users and prints a small inline script.
  • The script appends the badge <span> to the rendered username cell (.column-username) for each inactive user, using document.createElement + textContent (no innerHTML), guarded against double-adding.
  • Row resolution works on both tables: single-site rows expose id="user-{ID}"; network admin rows have no row id, so the script falls back to the row checkbox (#blog_{ID}) and finally the edit-link href (user_id={ID}).
  • The JSON payload is encoded with JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT so a translated badge string can never break out of the inline <script>.

The fix is entirely in this plugin; no change is needed in any consumer, whose user_login read is legitimate.

Tradeoff: the badge is now applied client-side, so it does not appear with JavaScript disabled. The badge is purely informational — the inactivity enforcement (auth / application-password / REST blocking in BLOCK mode) is server-side and unchanged.

Changelog Description

Fixed

  • Inactive-user badge on the Users list no longer modifies the underlying user object, fixing a conflict where plugins reading the username (such as Co-Authors Plus) saw badge markup instead of the real login.

Pre-review checklist

  • This change works and has been tested locally or in Codespaces (or has an appropriate fallback).
  • This change has relevant unit tests (if applicable).
  • This change has relevant documentation additions / updates (if applicable).
  • I've created a changelog description that aligns with the provided examples.

Steps to Test

  1. Check out the PR with Co-Authors Plus active.
  2. Link a guest author to a user (set the guest author's linked account to that user's login).
  3. Flag that user as inactive so the "Inactive User" badge renders on wp-admin/users.php.
  4. Optionally add add_filter( 'coauthors_show_create_profile_user_link', '__return_true' ); to make the action visible.
  5. Visit users.php: the inactive, linked user now shows Edit Profile (previously Create Profile), and the badge still appears in the username column.
  6. Confirm the badge still renders for inactive/blocked users on both users.php and (multisite) users-network.php.
  7. Confirm a user_row_actions probe logging strlen( $user_object->user_login ) reports the clean login length for inactive users.

@sjinks
fix: render inactive-user badge without mutating WP_User
e6bc93b 
The Users list "Inactive User" / "Blocked: Inactivity" badge was appended
directly to `WP_User->user_login` for every inactive item in
`$wp_list_table->items` on `admin_head-users.php`. Those objects are
shared by reference and are passed to the `user_row_actions` filter during
row rendering, so any consumer that reads `user_login` there received the
badge HTML instead of the real login. Co-Authors Plus looks up a linked
guest author by exact `user_login` match, so linked inactive users were
shown "Create Profile" instead of "Edit Profile".

Render the badge at the output layer instead: emit an inline script that
appends the badge to the rendered username cell, keyed on the user row,
and leave the `WP_User` objects untouched. The script resolves the row
across both the single-site (`#user-{ID}`) and network admin tables
(network rows have no row id, so it falls back to the row checkbox
`#blog_{ID}` and the edit-link href). The JSON payload is encoded with
JSON_HEX_* flags so a translated badge string cannot break out of the
inline script.

Tests: assert the badge is emitted via output (not via mutation), that
`user_login` is preserved byte-for-byte, that the payload is
`</script>`-safe, and that the network fallback selectors are present.

Refs: PLTFRM-2468
Copilot AI review requested due to automatic review settings June 13, 2026 05:10
Copilot AI reviewed Jun 13, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes the inactive-user badge rendering in the WordPress Users list by avoiding mutation of shared WP_User objects (specifically user_login), and instead injecting the badge at the output layer via an inline script.

Changes:

  • Refactors Inactive_Users::modify_users_list_table_items() to collect inactive user IDs and emit a client-side script that appends the badge to .column-username.
  • Adds a hardened JSON payload for the inline script (using wp_json_encode with JSON_HEX_* flags) and guards against duplicate badge insertion.
  • Updates and expands PHPUnit coverage to validate output-based rendering, non-mutation regression behavior, script-safety, and network table selector fallbacks.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
modules/inactive-users/class-inactive-users.php Stops mutating WP_User->user_login and injects the badge client-side via an inline script.
tests/phpunit/test-inactive-users.php Updates tests to assert script output and adds regressions for non-mutation + script-safety + multisite fallbacks.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread modules/inactive-users/class-inactive-users.php
Comment on lines +332 to +335
var link = document.querySelector( 'a[href*="user_id=' + id + '"]' );
if ( link && link.closest ) {
return link.closest( 'tr' );
}
Comment thread tests/phpunit/test-inactive-users.php
Comment on lines +269 to +273
$inactive_user = new stdClass();
$inactive_user->ID = $this->user_id;
$inactive_user->user_login = 'zbroussard@salesforce.com';

$wp_list_table->items = [ $inactive_user ];
Comment thread tests/phpunit/test-inactive-users.php
Comment on lines +281 to +283
// The login must be byte-for-byte preserved: no badge markup, no padding.
$this->assertSame( 'zbroussard@salesforce.com', $wp_list_table->items[0]->user_login );
$this->assertStringNotContainsString( 'inactive-user-badge', $wp_list_table->items[0]->user_login );
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sjinks