[wp-trac] [WordPress Trac] #39701: Do not allow editing users from a different site in REST API

WordPress Trac noreply at wordpress.org
Thu Feb 23 22:36:56 UTC 2017


#39701: Do not allow editing users from a different site in REST API
---------------------------------------------+------------------------
 Reporter:  flixos90                         |       Owner:  flixos90
     Type:  defect (bug)                     |      Status:  closed
 Priority:  normal                           |   Milestone:  4.7.3
Component:  REST API                         |     Version:  4.7
 Severity:  normal                           |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests commit  |     Focuses:  multisite
---------------------------------------------+------------------------
Changes (by flixos90):

 * status:  accepted => closed
 * resolution:   => fixed


Comment:

 In [changeset:"40106"]:
 {{{
 #!CommitTicketReference repository="" revision="40106"
 REST API: Do not allow access to users from a different site in multisite.

 It has been unintendedly possible to both view and edit users from a
 different site than the current site in multisite environments. Moreover,
 when passing roles to a user in an update request, that user would
 implicitly be added to the current site.

 This changeset removes the incorrect behavior for now in order to be able
 to provide a proper REST API workflow for managing multisite users in the
 near future. Related unit tests have been adjusted as well.

 Props jnylen0, jeremyfelt, johnjamesjacoby.
 Fixes #39701.
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39701#comment:27>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list