<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[51943] trunk: Role/Capability: Add support for capability queries in `WP_User_Query`.</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/51943">51943</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/51943","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>swissspidy</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2021-10-27 18:42:13 +0000 (Wed, 27 Oct 2021)</dd>
</dl>

<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Role/Capability: Add support for capability queries in `WP_User_Query`.

Similar to the existing `role`/`role__in`/`role__not_in` query arguments, this adds support for three new query arguments in `WP_User_Query`:

* `capability` 
* `capability__in`
* `capability__not_in`

These can be used to fetch users with (or without) a specific set of capabilities, for example to get all users
with the capability to edit a certain post type.

Under the hood, this will check all existing roles on the site and perform a `LIKE` query against the `capabilities` user meta field to find:

* all users with a role that has this capability
* all users with the capability being assigned directly

Note: In WordPress, not all capabilities are stored in the database. Capabilities can also be modified using filters like `map_meta_cap`. These new query arguments do NOT work for such capabilities.

The prime use case for capability queries is to get all "authors", i.e. users with the capability to edit a certain post type.

Until now, `'who' => 'authors'` was used for this, which relies on user levels. However, user levels were deprecated a long time ago and thus never added to custom roles. This led to constant frustration due to users with custom roles missing from places like author dropdowns.

This updates any usage of `'who' => 'authors'` in core to use capability queries instead.

Subsequently, `'who' => 'authors'` queries are being **deprecated** in favor of these new query arguments.

Also adds a new `capabilities` parameter (mapping to `capability__in` in `WP_User_Query`) to the REST API users controller.

Also updates `twentyfourteen_list_authors()` in Twenty Fourteen to make use of this new functionality, adding a new `twentyfourteen_list_authors_query_args` filter to make it easier to override this behavior.

Props scribu, lgladdly, boonebgorges, spacedmonkey, peterwilsoncc, SergeyBiryukov, swissspidy.
Fixes <a href="https://core.trac.wordpress.org/ticket/16841">#16841</a>.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpadminincludesclasswppostslisttablephp">trunk/src/wp-admin/includes/class-wp-posts-list-table.php</a></li>
<li><a href="#trunksrcwpadminincludesmetaboxesphp">trunk/src/wp-admin/includes/meta-boxes.php</a></li>
<li><a href="#trunksrcwpcontentthemestwentyfourteenfunctionsphp">trunk/src/wp-content/themes/twentyfourteen/functions.php</a></li>
<li><a href="#trunksrcwpincludesclasswpuserqueryphp">trunk/src/wp-includes/class-wp-user-query.php</a></li>
<li><a href="#trunksrcwpincludesrestapiendpointsclasswprestuserscontrollerphp">trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php</a></li>
<li><a href="#trunksrcwpincludesuserphp">trunk/src/wp-includes/user.php</a></li>
<li><a href="#trunktestsphpunittestsrestapirestuserscontrollerphp">trunk/tests/phpunit/tests/rest-api/rest-users-controller.php</a></li>
<li><a href="#trunktestsphpunittestsuserqueryphp">trunk/tests/phpunit/tests/user/query.php</a></li>
<li><a href="#trunktestsphpunittestsxmlrpcwpgetUsersphp">trunk/tests/phpunit/tests/xmlrpc/wp/getUsers.php</a></li>
<li><a href="#trunktestsqunitfixtureswpapigeneratedjs">trunk/tests/qunit/fixtures/wp-api-generated.js</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpadminincludesclasswppostslisttablephp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-admin/includes/class-wp-posts-list-table.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-admin/includes/class-wp-posts-list-table.php 2021-10-27 18:20:58 UTC (rev 51942)
+++ trunk/src/wp-admin/includes/class-wp-posts-list-table.php   2021-10-27 18:42:13 UTC (rev 51943)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1660,7 +1660,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">                                        if ( current_user_can( $post_type_object->cap->edit_others_posts ) ) {
</span><span class="cx" style="display: block; padding: 0 10px">                                                $users_opt = array(
</span><span class="cx" style="display: block; padding: 0 10px">                                                        'hide_if_only_one_author' => false,
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                                                        'who'                     => 'authors',
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                                                 'capability'              => array( $post_type_object->cap->edit_posts ),
</ins><span class="cx" style="display: block; padding: 0 10px">                                                         'name'                    => 'post_author',
</span><span class="cx" style="display: block; padding: 0 10px">                                                        'class'                   => 'authors',
</span><span class="cx" style="display: block; padding: 0 10px">                                                        'multi'                   => 1,
</span></span></pre></div>
<a id="trunksrcwpadminincludesmetaboxesphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-admin/includes/meta-boxes.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-admin/includes/meta-boxes.php        2021-10-27 18:20:58 UTC (rev 51942)
+++ trunk/src/wp-admin/includes/meta-boxes.php  2021-10-27 18:42:13 UTC (rev 51943)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -903,12 +903,14 @@
</span><span class="cx" style="display: block; padding: 0 10px">  */
</span><span class="cx" style="display: block; padding: 0 10px"> function post_author_meta_box( $post ) {
</span><span class="cx" style="display: block; padding: 0 10px">        global $user_ID;
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
+       $post_type_object = get_post_type_object( $post->post_type );
</ins><span class="cx" style="display: block; padding: 0 10px">         ?>
</span><span class="cx" style="display: block; padding: 0 10px"> <label class="screen-reader-text" for="post_author_override"><?php _e( 'Author' ); ?></label>
</span><span class="cx" style="display: block; padding: 0 10px">        <?php
</span><span class="cx" style="display: block; padding: 0 10px">        wp_dropdown_users(
</span><span class="cx" style="display: block; padding: 0 10px">                array(
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                        'who'              => 'authors',
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                 'capability'       => array( $post_type_object->cap->edit_posts ),
</ins><span class="cx" style="display: block; padding: 0 10px">                         'name'             => 'post_author_override',
</span><span class="cx" style="display: block; padding: 0 10px">                        'selected'         => empty( $post->ID ) ? $user_ID : $post->post_author,
</span><span class="cx" style="display: block; padding: 0 10px">                        'include_selected' => true,
</span></span></pre></div>
<a id="trunksrcwpcontentthemestwentyfourteenfunctionsphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-content/themes/twentyfourteen/functions.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-content/themes/twentyfourteen/functions.php  2021-10-27 18:20:58 UTC (rev 51942)
+++ trunk/src/wp-content/themes/twentyfourteen/functions.php    2021-10-27 18:42:13 UTC (rev 51943)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -491,15 +491,24 @@
</span><span class="cx" style="display: block; padding: 0 10px">         * @since Twenty Fourteen 1.0
</span><span class="cx" style="display: block; padding: 0 10px">         */
</span><span class="cx" style="display: block; padding: 0 10px">        function twentyfourteen_list_authors() {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                $contributor_ids = get_users(
-                       array(
-                               'fields'  => 'ID',
-                               'orderby' => 'post_count',
-                               'order'   => 'DESC',
-                               'who'     => 'authors',
-                       )
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         $args = array(
+                       'fields'     => 'ID',
+                       'orderby'    => 'post_count',
+                       'order'      => 'DESC',
+                       'capability' => array( 'edit_posts' ),
</ins><span class="cx" style="display: block; padding: 0 10px">                 );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                /**
+                * Filters query arguments for listing authors.
+                *
+                * @since 3.3
+                *
+                * @param array $args Query arguments.
+                */
+               $args = apply_filters( 'twentyfourteen_list_authors_query_args', $args );
+
+               $contributor_ids = get_users( $args );
+
</ins><span class="cx" style="display: block; padding: 0 10px">                 foreach ( $contributor_ids as $contributor_id ) :
</span><span class="cx" style="display: block; padding: 0 10px">                        $post_count = count_user_posts( $contributor_id );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span></span></pre></div>
<a id="trunksrcwpincludesclasswpuserqueryphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/class-wp-user-query.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/class-wp-user-query.php     2021-10-27 18:20:58 UTC (rev 51942)
+++ trunk/src/wp-includes/class-wp-user-query.php       2021-10-27 18:42:13 UTC (rev 51943)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -93,6 +93,9 @@
</span><span class="cx" style="display: block; padding: 0 10px">                        'role'                => '',
</span><span class="cx" style="display: block; padding: 0 10px">                        'role__in'            => array(),
</span><span class="cx" style="display: block; padding: 0 10px">                        'role__not_in'        => array(),
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                        'capability'          => '',
+                       'capability__in'      => array(),
+                       'capability__not_in'  => array(),
</ins><span class="cx" style="display: block; padding: 0 10px">                         'meta_key'            => '',
</span><span class="cx" style="display: block; padding: 0 10px">                        'meta_value'          => '',
</span><span class="cx" style="display: block; padding: 0 10px">                        'meta_compare'        => '',
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -133,6 +136,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">         *              querying for all users with using -1.
</span><span class="cx" style="display: block; padding: 0 10px">         * @since 4.7.0 Added 'nicename', 'nicename__in', 'nicename__not_in', 'login', 'login__in',
</span><span class="cx" style="display: block; padding: 0 10px">         *              and 'login__not_in' parameters.
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         * @since 5.9.0 Added 'capability', 'capability__in', and 'capability__not_in' parameters.
</ins><span class="cx" style="display: block; padding: 0 10px">          *
</span><span class="cx" style="display: block; padding: 0 10px">         * @global wpdb $wpdb WordPress database abstraction object.
</span><span class="cx" style="display: block; padding: 0 10px">         * @global int  $blog_id
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -148,6 +152,19 @@
</span><span class="cx" style="display: block; padding: 0 10px">         *                                             roles. Default empty array.
</span><span class="cx" style="display: block; padding: 0 10px">         *     @type string[]     $role__not_in        An array of role names to exclude. Users matching one or more of these
</span><span class="cx" style="display: block; padding: 0 10px">         *                                             roles will not be included in results. Default empty array.
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         *     @type string       $capability          An array or a comma-separated list of capability names that users must match
+        *                                             to be included in results. Note that this is an inclusive list: users
+        *                                             must match *each* capability.
+        *                                             Does NOT work for capabilities not in the database or filtered via {@see 'map_meta_cap'}.
+        *                                             Default empty.
+        *     @type string[]     $capability__in      An array of capability names. Matched users must have at least one of these
+        *                                             capabilities.
+        *                                             Does NOT work for capabilities not in the database or filtered via {@see 'map_meta_cap'}.
+        *                                             Default empty array.
+        *     @type string[]     $capability__not_in  An array of capability names to exclude. Users matching one or more of these
+        *                                             capabilities will not be included in results.
+        *                                             Does NOT work for capabilities not in the database or filtered via {@see 'map_meta_cap'}.
+        *                                             Default empty array.
</ins><span class="cx" style="display: block; padding: 0 10px">          *     @type string       $meta_key            User meta key. Default empty.
</span><span class="cx" style="display: block; padding: 0 10px">         *     @type string       $meta_value          User meta value. Default empty.
</span><span class="cx" style="display: block; padding: 0 10px">         *     @type string       $meta_compare        Comparison operator to test the `$meta_value`. Accepts '=', '!=',
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -320,6 +337,17 @@
</span><span class="cx" style="display: block; padding: 0 10px">                $this->meta_query->parse_query_vars( $qv );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                if ( isset( $qv['who'] ) && 'authors' === $qv['who'] && $blog_id ) {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                        _deprecated_argument(
+                               'WP_User_Query',
+                               '5.9.0',
+                               sprintf(
+                                       /* translators: 1: who, 2: capability */
+                                       __( '%1$s is deprecated. Use %2$s instead.' ),
+                                       '<code>who</code>',
+                                       '<code>capability</code>'
+                               )
+                       );
+
</ins><span class="cx" style="display: block; padding: 0 10px">                         $who_query = array(
</span><span class="cx" style="display: block; padding: 0 10px">                                'key'     => $wpdb->get_blog_prefix( $blog_id ) . 'user_level',
</span><span class="cx" style="display: block; padding: 0 10px">                                'value'   => 0,
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -343,6 +371,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">                        $this->meta_query->parse_query_vars( $this->meta_query->queries );
</span><span class="cx" style="display: block; padding: 0 10px">                }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                // Roles.
</ins><span class="cx" style="display: block; padding: 0 10px">                 $roles = array();
</span><span class="cx" style="display: block; padding: 0 10px">                if ( isset( $qv['role'] ) ) {
</span><span class="cx" style="display: block; padding: 0 10px">                        if ( is_array( $qv['role'] ) ) {
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -362,6 +391,111 @@
</span><span class="cx" style="display: block; padding: 0 10px">                        $role__not_in = (array) $qv['role__not_in'];
</span><span class="cx" style="display: block; padding: 0 10px">                }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                // Capabilities.
+               $available_roles = array();
+
+               if ( ! empty( $qv['capability'] ) || ! empty( $qv['capability__in'] ) || ! empty( $qv['capability__not_in'] ) ) {
+                       global $wp_roles;
+
+                       $wp_roles->for_site( $blog_id );
+                       $available_roles = $wp_roles->roles;
+               }
+
+               $capabilities = array();
+               if ( ! empty( $qv['capability'] ) ) {
+                       if ( is_array( $qv['capability'] ) ) {
+                               $capabilities = $qv['capability'];
+                       } elseif ( is_string( $qv['capability'] ) ) {
+                               $capabilities = array_map( 'trim', explode( ',', $qv['capability'] ) );
+                       }
+               }
+
+               $capability__in = array();
+               if ( ! empty( $qv['capability__in'] ) ) {
+                       $capability__in = (array) $qv['capability__in'];
+               }
+
+               $capability__not_in = array();
+               if ( ! empty( $qv['capability__not_in'] ) ) {
+                       $capability__not_in = (array) $qv['capability__not_in'];
+               }
+
+               // Keep track of all capabilities and the roles they're added on.
+               $caps_with_roles = array();
+
+               foreach ( $available_roles as $role => $role_data ) {
+                       $role_caps = array_keys( array_filter( $role_data['capabilities'] ) );
+
+                       foreach ( $capabilities as $cap ) {
+                               if ( in_array( $cap, $role_caps, true ) ) {
+                                       $caps_with_roles[ $cap ][] = $role;
+                                       break;
+                               }
+                       }
+
+                       foreach ( $capability__in as $cap ) {
+                               if ( in_array( $cap, $role_caps, true ) ) {
+                                       $role__in[] = $role;
+                                       break;
+                               }
+                       }
+
+                       foreach ( $capability__not_in as $cap ) {
+                               if ( in_array( $cap, $role_caps, true ) ) {
+                                       $role__not_in[] = $role;
+                                       break;
+                               }
+                       }
+               }
+
+               $role__in     = array_merge( $role__in, $capability__in );
+               $role__not_in = array_merge( $role__not_in, $capability__not_in );
+
+               $roles        = array_unique( $roles );
+               $role__in     = array_unique( $role__in );
+               $role__not_in = array_unique( $role__not_in );
+
+               // Support querying by capabilities added directly to users.
+               if ( $blog_id && ! empty( $capabilities ) ) {
+                       $capabilities_clauses = array( 'relation' => 'AND' );
+
+                       foreach ( $capabilities as $cap ) {
+                               $clause = array( 'relation' => 'OR' );
+
+                               $clause[] = array(
+                                       'key'     => $wpdb->get_blog_prefix( $blog_id ) . 'capabilities',
+                                       'value'   => '"' . $cap . '"',
+                                       'compare' => 'LIKE',
+                               );
+
+                               if ( ! empty( $caps_with_roles[ $cap ] ) ) {
+                                       foreach ( $caps_with_roles[ $cap ] as $role ) {
+                                               $clause[] = array(
+                                                       'key'     => $wpdb->get_blog_prefix( $blog_id ) . 'capabilities',
+                                                       'value'   => '"' . $role . '"',
+                                                       'compare' => 'LIKE',
+                                               );
+                                       }
+                               }
+
+                               $capabilities_clauses[] = $clause;
+                       }
+
+                       $role_queries[] = $capabilities_clauses;
+
+                       if ( empty( $this->meta_query->queries ) ) {
+                               $this->meta_query->queries[] = $capabilities_clauses;
+                       } else {
+                               // Append the cap query to the original queries and reparse the query.
+                               $this->meta_query->queries = array(
+                                       'relation' => 'AND',
+                                       array( $this->meta_query->queries, array( $capabilities_clauses ) ),
+                               );
+                       }
+
+                       $this->meta_query->parse_query_vars( $this->meta_query->queries );
+               }
+
</ins><span class="cx" style="display: block; padding: 0 10px">                 if ( $blog_id && ( ! empty( $roles ) || ! empty( $role__in ) || ! empty( $role__not_in ) || is_multisite() ) ) {
</span><span class="cx" style="display: block; padding: 0 10px">                        $role_queries = array();
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span></span></pre></div>
<a id="trunksrcwpincludesrestapiendpointsclasswprestuserscontrollerphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php       2021-10-27 18:20:58 UTC (rev 51942)
+++ trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php 2021-10-27 18:42:13 UTC (rev 51943)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -198,6 +198,15 @@
</span><span class="cx" style="display: block; padding: 0 10px">                        );
</span><span class="cx" style="display: block; padding: 0 10px">                }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                // Check if capabilities is specified in GET request and if user can list users.
+               if ( ! empty( $request['capabilities'] ) && ! current_user_can( 'list_users' ) ) {
+                       return new WP_Error(
+                               'rest_user_cannot_view',
+                               __( 'Sorry, you are not allowed to filter users by capability.' ),
+                               array( 'status' => rest_authorization_required_code() )
+                       );
+               }
+
</ins><span class="cx" style="display: block; padding: 0 10px">                 if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
</span><span class="cx" style="display: block; padding: 0 10px">                        return new WP_Error(
</span><span class="cx" style="display: block; padding: 0 10px">                                'rest_forbidden_context',
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -254,13 +263,14 @@
</span><span class="cx" style="display: block; padding: 0 10px">                 * present in $registered will be set.
</span><span class="cx" style="display: block; padding: 0 10px">                 */
</span><span class="cx" style="display: block; padding: 0 10px">                $parameter_mappings = array(
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                        'exclude'  => 'exclude',
-                       'include'  => 'include',
-                       'order'    => 'order',
-                       'per_page' => 'number',
-                       'search'   => 'search',
-                       'roles'    => 'role__in',
-                       'slug'     => 'nicename__in',
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                 'exclude'      => 'exclude',
+                       'include'      => 'include',
+                       'order'        => 'order',
+                       'per_page'     => 'number',
+                       'search'       => 'search',
+                       'roles'        => 'role__in',
+                       'capabilities' => 'capability__in',
+                       'slug'         => 'nicename__in',
</ins><span class="cx" style="display: block; padding: 0 10px">                 );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                $prepared_args = array();
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1554,6 +1564,14 @@
</span><span class="cx" style="display: block; padding: 0 10px">                        ),
</span><span class="cx" style="display: block; padding: 0 10px">                );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                $query_params['capabilities'] = array(
+                       'description' => __( 'Limit result set to users matching at least one specific capability provided. Accepts csv list or single capability.' ),
+                       'type'        => 'array',
+                       'items'       => array(
+                               'type' => 'string',
+                       ),
+               );
+
</ins><span class="cx" style="display: block; padding: 0 10px">                 $query_params['who'] = array(
</span><span class="cx" style="display: block; padding: 0 10px">                        'description' => __( 'Limit result set to users who are considered authors.' ),
</span><span class="cx" style="display: block; padding: 0 10px">                        'type'        => 'string',
</span></span></pre></div>
<a id="trunksrcwpincludesuserphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/user.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/user.php    2021-10-27 18:20:58 UTC (rev 51942)
+++ trunk/src/wp-includes/user.php      2021-10-27 18:42:13 UTC (rev 51943)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1320,6 +1320,9 @@
</span><span class="cx" style="display: block; padding: 0 10px">                'role'                    => '',
</span><span class="cx" style="display: block; padding: 0 10px">                'role__in'                => array(),
</span><span class="cx" style="display: block; padding: 0 10px">                'role__not_in'            => array(),
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                'capability'              => '',
+               'capability__in'          => array(),
+               'capability__not_in'      => array(),
</ins><span class="cx" style="display: block; padding: 0 10px">         );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">        $defaults['selected'] = is_author() ? get_query_var( 'author' ) : 0;
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1326,7 +1329,23 @@
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">        $parsed_args = wp_parse_args( $args, $defaults );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-        $query_args = wp_array_slice_assoc( $parsed_args, array( 'blog_id', 'include', 'exclude', 'orderby', 'order', 'who', 'role', 'role__in', 'role__not_in' ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $query_args = wp_array_slice_assoc(
+               $parsed_args,
+               array(
+                       'blog_id',
+                       'include',
+                       'exclude',
+                       'orderby',
+                       'order',
+                       'who',
+                       'role',
+                       'role__in',
+                       'role__not_in',
+                       'capability',
+                       'capability__in',
+                       'capability__not_in',
+               )
+       );
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">        $fields = array( 'ID', 'user_login' );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span></span></pre></div>
<a id="trunktestsphpunittestsrestapirestuserscontrollerphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/rest-api/rest-users-controller.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/rest-api/rest-users-controller.php      2021-10-27 18:20:58 UTC (rev 51942)
+++ trunk/tests/phpunit/tests/rest-api/rest-users-controller.php        2021-10-27 18:42:13 UTC (rev 51943)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -15,6 +15,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">        protected static $editor;
</span><span class="cx" style="display: block; padding: 0 10px">        protected static $draft_editor;
</span><span class="cx" style="display: block; padding: 0 10px">        protected static $subscriber;
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+        protected static $author;
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">        protected static $authors     = array();
</span><span class="cx" style="display: block; padding: 0 10px">        protected static $posts       = array();
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -55,6 +56,13 @@
</span><span class="cx" style="display: block; padding: 0 10px">                                'user_email'   => 'subscriber@example.com',
</span><span class="cx" style="display: block; padding: 0 10px">                        )
</span><span class="cx" style="display: block; padding: 0 10px">                );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                self::$author       = $factory->user->create(
+                       array(
+                               'display_name' => 'author',
+                               'role'         => 'author',
+                               'user_email'   => 'author@example.com',
+                       )
+               );
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                foreach ( array( true, false ) as $show_in_rest ) {
</span><span class="cx" style="display: block; padding: 0 10px">                        foreach ( array( true, false ) as $public ) {
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -107,7 +115,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">                }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                // Set up users for pagination tests.
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                for ( $i = 0; $i < self::$total_users - 10; $i++ ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         for ( $i = 0; $i < self::$total_users - 11; $i++ ) {
</ins><span class="cx" style="display: block; padding: 0 10px">                         self::$user_ids[] = $factory->user->create(
</span><span class="cx" style="display: block; padding: 0 10px">                                array(
</span><span class="cx" style="display: block; padding: 0 10px">                                        'role'         => 'contributor',
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -121,6 +129,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">                self::delete_user( self::$user );
</span><span class="cx" style="display: block; padding: 0 10px">                self::delete_user( self::$editor );
</span><span class="cx" style="display: block; padding: 0 10px">                self::delete_user( self::$draft_editor );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                self::delete_user( self::$author );
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                foreach ( self::$posts as $post ) {
</span><span class="cx" style="display: block; padding: 0 10px">                        wp_delete_post( $post, true );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -183,8 +192,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">                $response = rest_get_server()->dispatch( $request );
</span><span class="cx" style="display: block; padding: 0 10px">                $data     = $response->get_data();
</span><span class="cx" style="display: block; padding: 0 10px">                $keys     = array_keys( $data['endpoints'][0]['args'] );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                sort( $keys );
-               $this->assertSame(
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         $this->assertEqualSets(
</ins><span class="cx" style="display: block; padding: 0 10px">                         array(
</span><span class="cx" style="display: block; padding: 0 10px">                                'context',
</span><span class="cx" style="display: block; padding: 0 10px">                                'exclude',
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -195,6 +203,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">                                'page',
</span><span class="cx" style="display: block; padding: 0 10px">                                'per_page',
</span><span class="cx" style="display: block; padding: 0 10px">                                'roles',
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                                'capabilities',
</ins><span class="cx" style="display: block; padding: 0 10px">                                 'search',
</span><span class="cx" style="display: block; padding: 0 10px">                                'slug',
</span><span class="cx" style="display: block; padding: 0 10px">                                'who',
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -795,32 +804,19 @@
</span><span class="cx" style="display: block; padding: 0 10px">        public function test_get_items_roles() {
</span><span class="cx" style="display: block; padding: 0 10px">                wp_set_current_user( self::$user );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                $tango = $this->factory->user->create(
-                       array(
-                               'display_name' => 'tango',
-                               'role'         => 'subscriber',
-                       )
-               );
-               $yolo  = $this->factory->user->create(
-                       array(
-                               'display_name' => 'yolo',
-                               'role'         => 'author',
-                       )
-               );
-
</del><span class="cx" style="display: block; padding: 0 10px">                 $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
</span><span class="cx" style="display: block; padding: 0 10px">                $request->set_param( 'roles', 'author,subscriber' );
</span><span class="cx" style="display: block; padding: 0 10px">                $response = rest_get_server()->dispatch( $request );
</span><span class="cx" style="display: block; padding: 0 10px">                $data     = $response->get_data();
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                $this->assertCount( 3, $data );
-               $this->assertSame( $tango, $data[1]['id'] );
-               $this->assertSame( $yolo, $data[2]['id'] );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         $this->assertCount( 2, $data );
+               $this->assertSame( self::$author, $data[0]['id'] );
+               $this->assertSame( self::$subscriber, $data[1]['id'] );
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                $request->set_param( 'roles', 'author' );
</span><span class="cx" style="display: block; padding: 0 10px">                $response = rest_get_server()->dispatch( $request );
</span><span class="cx" style="display: block; padding: 0 10px">                $data     = $response->get_data();
</span><span class="cx" style="display: block; padding: 0 10px">                $this->assertCount( 1, $data );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                $this->assertSame( $yolo, $data[0]['id'] );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         $this->assertSame( self::$author, $data[0]['id'] );
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                wp_set_current_user( 0 );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -838,28 +834,86 @@
</span><span class="cx" style="display: block; padding: 0 10px">        public function test_get_items_invalid_roles() {
</span><span class="cx" style="display: block; padding: 0 10px">                wp_set_current_user( self::$user );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                $lolz = $this->factory->user->create(
-                       array(
-                               'display_name' => 'lolz',
-                               'role'         => 'author',
-                       )
-               );
-
</del><span class="cx" style="display: block; padding: 0 10px">                 $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
</span><span class="cx" style="display: block; padding: 0 10px">                $request->set_param( 'roles', 'ilovesteak,author' );
</span><span class="cx" style="display: block; padding: 0 10px">                $response = rest_get_server()->dispatch( $request );
</span><span class="cx" style="display: block; padding: 0 10px">                $data     = $response->get_data();
</span><span class="cx" style="display: block; padding: 0 10px">                $this->assertCount( 1, $data );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                $this->assertSame( $lolz, $data[0]['id'] );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         $this->assertSame( self::$author, $data[0]['id'] );
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
</span><span class="cx" style="display: block; padding: 0 10px">                $request->set_param( 'roles', 'steakisgood' );
</span><span class="cx" style="display: block; padding: 0 10px">                $response = rest_get_server()->dispatch( $request );
</span><span class="cx" style="display: block; padding: 0 10px">                $data     = $response->get_data();
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                $this->assertCount( 0, $data );
-               $this->assertSame( array(), $data );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         $this->assertIsArray( $data );
+               $this->assertEmpty( $data );
</ins><span class="cx" style="display: block; padding: 0 10px">         }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+        /**
+        * @ticket 16841
+        */
+       public function test_get_items_capabilities() {
+               wp_set_current_user( self::$user );
+
+               $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+               $request->set_param( 'capabilities', 'edit_posts' );
+               $response = rest_get_server()->dispatch( $request );
+               $data     = $response->get_data();
+
+               $this->assertNotEmpty( $data );
+               foreach ( $data as $user ) {
+                       $this->assertTrue( user_can( $user['id'], 'edit_posts' ) );
+               }
+       }
+
+       /**
+        * @ticket 16841
+        */
+       public function test_get_items_capabilities_no_permission_no_user() {
+               wp_set_current_user( 0 );
+
+               $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+               $request->set_param( 'capabilities', 'edit_posts' );
+               $response = rest_get_server()->dispatch( $request );
+               $this->assertErrorResponse( 'rest_user_cannot_view', $response, 401 );
+       }
+
+       /**
+        * @ticket 16841
+        */
+       public function test_get_items_capabilities_no_permission_editor() {
+               wp_set_current_user( self::$editor );
+
+               $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+               $request->set_param( 'capabilities', 'edit_posts' );
+               $response = rest_get_server()->dispatch( $request );
+               $this->assertErrorResponse( 'rest_user_cannot_view', $response, 403 );
+       }
+
+       /**
+        * @ticket 16841
+        */
+       public function test_get_items_invalid_capabilities() {
+               wp_set_current_user( self::$user );
+
+               $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+               $request->set_param( 'roles', 'ilovesteak,author' );
+               $response = rest_get_server()->dispatch( $request );
+               $data     = $response->get_data();
+               $this->assertCount( 1, $data );
+               $this->assertSame( self::$author, $data[0]['id'] );
+
+               $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+               $request->set_param( 'capabilities', 'steakisgood' );
+               $response = rest_get_server()->dispatch( $request );
+               $data     = $response->get_data();
+               $this->assertIsArray( $data );
+               $this->assertEmpty( $data );
+       }
+
+       /**
+        * @expectedDeprecated WP_User_Query
+        */
</ins><span class="cx" style="display: block; padding: 0 10px">         public function test_get_items_who_author_query() {
</span><span class="cx" style="display: block; padding: 0 10px">                wp_set_current_user( self::$superadmin );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span></span></pre></div>
<a id="trunktestsphpunittestsuserqueryphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/user/query.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/user/query.php  2021-10-27 18:20:58 UTC (rev 51942)
+++ trunk/tests/phpunit/tests/user/query.php    2021-10-27 18:42:13 UTC (rev 51943)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -730,6 +730,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">        /**
</span><span class="cx" style="display: block; padding: 0 10px">         * @ticket 32019
</span><span class="cx" style="display: block; padding: 0 10px">         * @group ms-required
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         * @expectedDeprecated WP_User_Query
</ins><span class="cx" style="display: block; padding: 0 10px">          */
</span><span class="cx" style="display: block; padding: 0 10px">        public function test_who_authors() {
</span><span class="cx" style="display: block; padding: 0 10px">                $b = self::factory()->blog->create();
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -755,6 +756,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">        /**
</span><span class="cx" style="display: block; padding: 0 10px">         * @ticket 32019
</span><span class="cx" style="display: block; padding: 0 10px">         * @group ms-required
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         * @expectedDeprecated WP_User_Query
</ins><span class="cx" style="display: block; padding: 0 10px">          */
</span><span class="cx" style="display: block; padding: 0 10px">        public function test_who_authors_should_work_alongside_meta_query() {
</span><span class="cx" style="display: block; padding: 0 10px">                $b = self::factory()->blog->create();
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -789,6 +791,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">        /**
</span><span class="cx" style="display: block; padding: 0 10px">         * @ticket 36724
</span><span class="cx" style="display: block; padding: 0 10px">         * @group ms-required
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         * @expectedDeprecated WP_User_Query
</ins><span class="cx" style="display: block; padding: 0 10px">          */
</span><span class="cx" style="display: block; padding: 0 10px">        public function test_who_authors_should_work_alongside_meta_params() {
</span><span class="cx" style="display: block; padding: 0 10px">                $b = self::factory()->blog->create();
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1725,4 +1728,242 @@
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                return array( 555 );
</span><span class="cx" style="display: block; padding: 0 10px">        }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
+       /**
+        * @ticket 16841
+        * @group ms-excluded
+        */
+       public function test_get_single_capability_by_string() {
+               $wp_user_search = new WP_User_Query( array( 'capability' => 'install_plugins' ) );
+               $users          = $wp_user_search->get_results();
+
+               $this->assertNotEmpty( $users );
+               foreach ( $users as $user ) {
+                       // User has the capability, but on Multisite they would also need to be a super admin.
+                       // Hence using get_role_caps() instead of has_cap().
+                       $role_caps = $user->get_role_caps();
+                       $this->assertArrayHasKey( 'install_plugins', $role_caps );
+                       $this->assertTrue( $role_caps['install_plugins'] );
+               }
+       }
+
+       /**
+        * @ticket 16841
+        * @group ms-required
+        */
+       public function test_get_single_capability_by_string_multisite() {
+               $wp_user_search = new WP_User_Query( array( 'capability' => array( 'install_plugins' ) ) );
+               $users          = $wp_user_search->get_results();
+
+               $this->assertNotEmpty( $users );
+               foreach ( $users as $user ) {
+                       $role_caps = $user->get_role_caps();
+                       $this->assertArrayHasKey( 'install_plugins', $role_caps );
+                       $this->assertTrue( $role_caps['install_plugins'] );
+                       // While the user can have the capability, on Multisite they also need to be a super admin.
+                       if ( is_super_admin( $user->ID ) ) {
+                               $this->assertTrue( $user->has_cap( 'install_plugins' ) );
+                       } else {
+                               $this->assertFalse( $user->has_cap( 'install_plugins' ) );
+                       }
+               }
+       }
+
+       /**
+        * @ticket 16841
+        */
+       public function test_get_single_capability_invalid() {
+               $wp_user_search = new WP_User_Query( array( 'capability' => 'foo_bar' ) );
+               $users          = $wp_user_search->get_results();
+
+               $this->assertEmpty( $users );
+       }
+
+       /**
+        * @ticket 16841
+        */
+       public function test_get_single_capability_by_array() {
+               $wp_user_search = new WP_User_Query( array( 'capability' => array( 'install_plugins' ) ) );
+               $users          = $wp_user_search->get_results();
+
+               $this->assertNotEmpty( $users );
+               foreach ( $users as $user ) {
+                       // User has the capability, but on Multisite they would also need to be a super admin.
+                       // Hence using get_role_caps() instead of has_cap().
+                       $role_caps = $user->get_role_caps();
+                       $this->assertArrayHasKey( 'install_plugins', $role_caps );
+                       $this->assertTrue( $role_caps['install_plugins'] );
+               }
+       }
+
+       /**
+        * @ticket 16841
+        */
+       public function test_get_single_capability_added_to_user() {
+               foreach ( self::$sub_ids as $subscriber ) {
+                       $subscriber = get_user_by( 'ID', $subscriber );
+                       $subscriber->add_cap( 'custom_cap' );
+               }
+
+               $wp_user_search = new WP_User_Query( array( 'capability' => 'custom_cap' ) );
+               $users          = $wp_user_search->get_results();
+
+               $this->assertCount( 2, $users );
+               $this->assertEqualSets( self::$sub_ids, wp_list_pluck( $users, 'ID' ) );
+
+               foreach ( $users as $user ) {
+                       $this->assertTrue( $user->has_cap( 'custom_cap' ) );
+               }
+       }
+
+       /**
+        * @ticket 16841
+        */
+       public function test_get_multiple_capabilities_should_only_match_users_who_have_each_capability_test() {
+               wp_roles()->add_role( 'role_1', 'Role 1', array( 'role_1_cap' => true ) );
+               wp_roles()->add_role( 'role_2', 'Role 2', array( 'role_2_cap' => true ) );
+
+               $subscriber1 = get_user_by( 'ID', self::$sub_ids[0] );
+               $subscriber1->add_role( 'role_1' );
+
+               $subscriber2 = get_user_by( 'ID', self::$sub_ids[1] );
+               $subscriber2->add_role( 'role_1' );
+               $subscriber2->add_role( 'role_2' );
+
+               $wp_user_search = new WP_User_Query( array( 'capability' => array( 'role_1_cap', 'role_2_cap' ) ) );
+               $users          = $wp_user_search->get_results();
+
+               $this->assertCount( 1, $users );
+               $this->assertSame( $users[0]->ID, $subscriber2->ID );
+               foreach ( $users as $user ) {
+                       $this->assertTrue( $user->has_cap( 'role_1_cap' ) );
+                       $this->assertTrue( $user->has_cap( 'role_2_cap' ) );
+               }
+       }
+
+       /**
+        * @ticket 16841
+        */
+       public function test_get_multiple_capabilities_should_only_match_users_who_have_each_capability_added_to_user() {
+               $admin1 = get_user_by( 'ID', self::$admin_ids[0] );
+               $admin1->add_cap( 'custom_cap' );
+
+               $wp_user_search = new WP_User_Query( array( 'capability' => array( 'manage_options', 'custom_cap' ) ) );
+               $users          = $wp_user_search->get_results();
+
+               $this->assertCount( 1, $users );
+               $this->assertSame( $users[0]->ID, $admin1->ID );
+               $this->assertTrue( $users[0]->has_cap( 'custom_cap' ) );
+               $this->assertTrue( $users[0]->has_cap( 'manage_options' ) );
+       }
+
+       /**
+        * @ticket 16841
+        */
+       public function test_get_multiple_capabilities_or() {
+               $wp_user_search = new WP_User_Query( array( 'capability__in' => array( 'publish_posts', 'edit_posts' ) ) );
+               $users          = $wp_user_search->get_results();
+
+               $this->assertNotEmpty( $users );
+               foreach ( $users as $user ) {
+                       $this->assertTrue( $user->has_cap( 'publish_posts' ) || $user->has_cap( 'edit_posts' ) );
+               }
+       }
+
+       /**
+        * @ticket 16841
+        */
+       public function test_get_multiple_capabilities_or_added_to_user() {
+               $user = self::factory()->user->create_and_get( array( 'role' => 'subscriber' ) );
+               $user->add_cap( 'custom_cap' );
+
+               $wp_user_search = new WP_User_Query( array( 'capability__in' => array( 'publish_posts', 'custom_cap' ) ) );
+               $users          = $wp_user_search->get_results();
+
+               $this->assertNotEmpty( $users );
+               foreach ( $users as $user ) {
+                       $this->assertTrue( $user->has_cap( 'publish_posts' ) || $user->has_cap( 'custom_cap' ) );
+               }
+       }
+
+       /**
+        * @ticket 16841
+        */
+       public function test_capability_exclusion() {
+               $wp_user_search = new WP_User_Query( array( 'capability__not_in' => array( 'publish_posts', 'edit_posts' ) ) );
+               $users          = $wp_user_search->get_results();
+
+               $this->assertNotEmpty( $users );
+               foreach ( $users as $user ) {
+                       $this->assertFalse( $user->has_cap( 'publish_posts' ) );
+                       $this->assertFalse( $user->has_cap( 'edit_posts' ) );
+               }
+       }
+
+       /**
+        * @ticket 16841
+        */
+       public function test_capability_exclusion_added_to_user() {
+               $user = self::factory()->user->create_and_get( array( 'role' => 'subscriber' ) );
+               $user->add_cap( 'custom_cap' );
+
+               $wp_user_search = new WP_User_Query( array( 'capability__not_in' => array( 'publish_posts', 'custom_cap' ) ) );
+               $users          = $wp_user_search->get_results();
+
+               $this->assertNotEmpty( $users );
+               foreach ( $users as $user ) {
+                       $this->assertFalse( $user->has_cap( 'publish_posts' ) );
+                       $this->assertFalse( $user->has_cap( 'custom_cap' ) );
+               }
+       }
+
+       /**
+        * @ticket 16841
+        */
+       public function test_capability__in_capability__not_in_combined() {
+               $wp_user_search = new WP_User_Query(
+                       array(
+                               'capability__in'     => array( 'read' ),
+                               'capability__not_in' => array( 'manage_options' ),
+                       )
+               );
+               $users          = $wp_user_search->get_results();
+
+               $this->assertNotEmpty( $users );
+               foreach ( $users as $user ) {
+                       $this->assertTrue( $user->has_cap( 'read' ) );
+                       $this->assertFalse( $user->has_cap( 'manage_options' ) );
+               }
+       }
+
+       /**
+        * @ticket 16841
+        * @group ms-required
+        */
+       public function test_get_single_capability_multisite_blog_id() {
+               $blog_id = self::factory()->blog->create();
+
+               add_user_to_blog( $blog_id, self::$author_ids[0], 'subscriber' );
+               add_user_to_blog( $blog_id, self::$author_ids[1], 'author' );
+               add_user_to_blog( $blog_id, self::$author_ids[2], 'editor' );
+
+               $wp_user_search = new WP_User_Query(
+                       array(
+                               'capability' => 'publish_posts',
+                               'blog_id'    => $blog_id,
+                       )
+               );
+               $users          = $wp_user_search->get_results();
+
+               $found = wp_list_pluck( $wp_user_search->get_results(), 'ID' );
+
+               $this->assertNotEmpty( $users );
+               foreach ( $users as $user ) {
+                       $this->assertTrue( $user->has_cap( 'publish_posts' ) );
+               }
+
+               $this->assertNotContains( self::$author_ids[0], $found );
+               $this->assertContains( self::$author_ids[1], $found );
+               $this->assertContains( self::$author_ids[2], $found );
+       }
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre></div>
<a id="trunktestsphpunittestsxmlrpcwpgetUsersphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/xmlrpc/wp/getUsers.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/xmlrpc/wp/getUsers.php  2021-10-27 18:20:58 UTC (rev 51942)
+++ trunk/tests/phpunit/tests/xmlrpc/wp/getUsers.php    2021-10-27 18:42:13 UTC (rev 51943)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -54,6 +54,9 @@
</span><span class="cx" style="display: block; padding: 0 10px">                $this->assertSame( 403, $results->code );
</span><span class="cx" style="display: block; padding: 0 10px">        }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+        /**
+        * @expectedDeprecated WP_User_Query
+        */
</ins><span class="cx" style="display: block; padding: 0 10px">         function test_role_filter() {
</span><span class="cx" style="display: block; padding: 0 10px">                $author_id        = $this->make_user_by_role( 'author' );
</span><span class="cx" style="display: block; padding: 0 10px">                $editor_id        = $this->make_user_by_role( 'editor' );
</span></span></pre></div>
<a id="trunktestsqunitfixtureswpapigeneratedjs"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/qunit/fixtures/wp-api-generated.js</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/qunit/fixtures/wp-api-generated.js    2021-10-27 18:20:58 UTC (rev 51942)
+++ trunk/tests/qunit/fixtures/wp-api-generated.js      2021-10-27 18:42:13 UTC (rev 51943)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -5357,6 +5357,14 @@
</span><span class="cx" style="display: block; padding: 0 10px">                             },
</span><span class="cx" style="display: block; padding: 0 10px">                             "required": false
</span><span class="cx" style="display: block; padding: 0 10px">                         },
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                        "capabilities": {
+                            "description": "Limit result set to users matching at least one specific capability provided. Accepts csv list or single capability.",
+                            "type": "array",
+                            "items": {
+                                "type": "string"
+                            },
+                            "required": false
+                        },
</ins><span class="cx" style="display: block; padding: 0 10px">                         "who": {
</span><span class="cx" style="display: block; padding: 0 10px">                             "description": "Limit result set to users who are considered authors.",
</span><span class="cx" style="display: block; padding: 0 10px">                             "type": "string",
</span></span></pre>
</div>
</div>

</body>
</html>