Updating user roles, carefully

[jrchamp]

Based on https://wordpress.org/support/topic/update-user-roles/

Right now the Shibboleth plugin uses set_role() which removes all roles, even those that were added by other methods. The request is to only update the primary role, but I'm thinking an easier and safer way to define this is: "The Shibboleth plugin should only only update the role(s) that the Shibboleth plugin has granted."

Here’s my idea:

1. Create a new usermeta that contains the “Shibboleth managed roles” for a user.
2. Use the current set of “Shibboleth mapped roles” and the differences with the existing “Shibboleth managed roles” to determine whether to add or remove roles from a user.
   • This will require switching from set_role() to add_role() and remove_role()
3. If we made changes to their role, we update the “Shibboleth managed roles” usermeta for that user.
   • Initially the value will not exist, but that’s okay because we only care when we are calling the “update roles” code. Thus: if blank, set to current “mapped roles” value; if not blank, compare to current “mapped roles” value and update if we make changes.

Thoughts? Worthwhile?

[michaelryanmcneill]

I think this is absolutely worthwhile. My only concern would be for changes in configuration between logins causing us to miss the removal of a role, but a secondary set of usermeta should properly account for that.