[wp-trac] [WordPress Trac] #39701: Do not allow editing users from a different site in REST API

WordPress Trac noreply at wordpress.org
Sat Jan 28 14:02:33 UTC 2017


#39701: Do not allow editing users from a different site in REST API
--------------------------+------------------------
 Reporter:  flixos90      |       Owner:  flixos90
     Type:  defect (bug)  |      Status:  assigned
 Priority:  normal        |   Milestone:  4.7.3
Component:  REST API      |     Version:  4.7
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |     Focuses:  multisite
--------------------------+------------------------

Comment (by flixos90):

 While working on a patch, I took a closer look at the current state of
 users in the REST API in a multisite environment. Some of our initial
 observations were slightly incorrect. Referring to
 https://make.wordpress.org/core/2017/01/11/controlling-access-to-rest-api-
 user-functionality-for-multisite/:

 > It is possible to both read and edit any user from any site with a
 request to `wp-json/wp/v2/users/<id>`, regardless of whether the user is
 part of that site.

 The thing certain to be a bug currently is that it is possible to read any
 user from any site with a `GET` request. If possible at all, this should
 only be available if the current user is a super admin.
 The updating bit of the above quote is wrong: Updating a user in multisite
 is only available to super admins, no site administrator can send a
 `POST/PUT/PATCH` successfully, as in the permission check
 `current_user_can( 'edit_user', $user_id )` returns false unless a super
 admin. That is because in `map_meta_cap()` 'edit_user' maps to
 'do_not_allow' in a multisite unless the current user can
 `manage_network_users`. Also when updating a user through the REST API as
 a super admin, that user is automatically added to the current site if
 they haven't been a member of it before. I kind of see where this is
 coming from, but I think that should be removed as well as we'll probably
 wanna have more clear control about that.

 So I would suggest to do the following for 4.7.3:
 * Reading a user from another site (via `GET` request) should only be
 available to super admins (can be checked with `current_user_can(
 'edit_user', $user_id )` because of the mapping explained above).
 * Since updating is currently only available to super admins anyway, we
 don't need to worry too much about permissions of an `UPDATE` request. I
 would suggest though to remove the automatic call to `add_user_to_blog()`
 and instead return an error if a request tries to set roles on a user that
 is not part of the current site. This change would ensure that in the
 current state both adding and removing a user from a site is not possible,
 which would allow us to come up with a sophisticated approach for 4.8.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39701#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list