[wp-trac] [WordPress Trac] #38962: REST API: Don't delete posts/links when deleting/removing a user from a site in a multisite install

WordPress Trac noreply at wordpress.org
Sun Nov 27 15:41:19 UTC 2016 

#38962: REST API: Don't delete posts/links when deleting/removing a user from a
site in a multisite install
--------------------------+-------------------
 Reporter:  ocean90       |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  high          |  Milestone:  4.7
Component:  REST API      |    Version:  trunk
 Severity:  major         |   Keywords:
  Focuses:  multisite     |
--------------------------+-------------------
 In wp-admin of a site in a multisite install it's not possible
 [https://core.trac.wordpress.org/browser/trunk/src/wp-
 admin/users.php?rev=39312&marks=147,148,196,197#L146 to delete a user],
 you can only [https://core.trac.wordpress.org/browser/trunk/src/wp-
 admin/users.php?rev=39312&marks=308,309,322-333#L304 remove a user].
 Removing a user doesn't delete all their assigned posts/links.

 The current endpoint [https://core.trac.wordpress.org/browser/trunk/src
 /wp-includes/rest-api/endpoints/class-wp-rest-users-
 controller.php?rev=39348&marks=703#L665 uses wp_delete_user()] which also
 uses `remove_user_from_blog()` but only after removing all the posts and
 links.

 This is critical because a) the user isn't actually deleted and b) the
 behaviour differs from wp-admin and can lead to unexpected data lost.
 While the API supports a `reassign` parameter it's not required to be set
 unlike the `force` parameter.

 The severity of this issue can probably be a bit reduced if we require the
 `reassign` parameter for all requests. For the current default behaviour
 I'd have to set `reassign=>null` explicitly.

 A related issue: The capability check differs from wp-admin too,
 `remove_users` vs. `delete_users`. This was [https://github.com/WP-API/WP-
 API/issues/2742 already reported on the GitHub repo] but without a
 response yet.

 I've also searched through some of the issues and found a general one
 about "[https://github.com/WP-API/WP-API/issues/789 Deleting an item
 should always delete an item]". It's also the issue where the question
 "[https://github.com/WP-API/WP-API/issues/789#issuecomment-94075125 What
 should DELETE wp/users/1 do on single site vs. multisite?]" was asked.  I
 couldn't find an answer though.

 If we don't want to handle removing users via the DELETE route we may have
 to think about disabling the route for multisite.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38962>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list