[wp-trac] [WordPress Trac] #39701: Do not allow editing users from a different site in REST API

WordPress Trac noreply at wordpress.org
Thu Jan 26 13:29:16 UTC 2017


#39701: Do not allow editing users from a different site in REST API
--------------------------+-------------------------
 Reporter:  flixos90      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  4.7.2
Component:  REST API      |    Version:  4.7
 Severity:  normal        |   Keywords:  needs-patch
  Focuses:  multisite     |
--------------------------+-------------------------
 Currently it is possible to edit any user via the REST API when sending a
 request to `wp-json/wp/v2/users/<id>`, even when the user with that ID is
 not part of the current site. As discussed in multisite office-hours, this
 is not desired and considered a bug. Only users of the site where the
 route is accessed should be editable.

 Managing users beyond a single site will only become available in a future
 release, and it will work differently than this.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39701>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list