[wp-trac] [WordPress Trac] #39155: REST API: User with default admin role cannot create new user via rest api

WordPress Trac noreply at wordpress.org
Wed Dec 7 18:45:30 UTC 2016 

#39155: REST API: User with default admin role cannot create new user via rest api
--------------------------+-----------------------------
 Reporter:  friendlyfire  |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  HTTP API      |    Version:  4.7
 Severity:  normal        |   Keywords:
  Focuses:  rest-api      |
--------------------------+-----------------------------
 '''SUMMARY:'''

 When acting as an site administrator on a multisite install and attempting
 create a user or update an existing user on the following endpoint:
 {{{
 /wp-json/wp/v2/users/141?context=edit
 }}}


 I get:

 {{{
 403 "rest_cannot_edit"
 }}}



 '''REPRODUCTION STEPS:'''

 - Spin up a fresh 4.7 wp multisite install.
 - create a subsite with a new user with the default administrator role.
 - authenticate as the subsite admin by logging in.
 - create some sort of js form that posts to the api endpoint for a user
 (we're doing this via angular).
 for example:

 {{{
 $.ajax( {
   url: WP_API_Settings.root + ‘wp/v2/users/’,
   method: ‘POST’,
   beforeSend: function ( xhr ) {
   xhr.setRequestHeader( ‘X-WP-Nonce’, WP_API_Settings.nonce );
 },
   data:{
   email: ‘someone at somewhere.net’,
   username: ‘someone’,
   password: Math.random().toString(36).substring(7)
  }
 } ).done( function ( response ) {
   console.log( response );
 } )
 }}}

 - Make sure that you're passing the WP_API_Settings.nonce to the js so you
 can post back to the api.
 - Submit request.


 '''CURRENT RESULTS:'''
 The response is 403 "rest_cannot_edit".


 '''EXPECTED RESULTS:'''
 A 200 response for any role that has the privelege to create, upodate or
 delete users. ( I confirmed this doesn't work with custom roles either).



 '''SIDE NOTE:'''
 If you did this with a super admin role for the multisite network, you get
 a 200 response on the PUT or POST to the users endpoint.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39155>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list