[wp-trac] [WordPress Trac] #25016: XMLRPC method "wp.getUsers" not working correctly on WordPress.com
WordPress Trac
noreply at wordpress.org
Tue Aug 13 13:42:57 UTC 2013
#25016: XMLRPC method "wp.getUsers" not working correctly on WordPress.com
--------------------------+------------------------------
Reporter: dinomic | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: XML-RPC | Version: trunk
Severity: normal | Resolution:
Keywords: |
--------------------------+------------------------------
Comment (by nacin):
In multisite, only super admins have the edit_users capability. To a mere
administrator who can list users, _prepare_user() might return more data
than they can otherwise see in a user list. (Granted, not much — like
registered date, names other than the display name, etc.)
One option could be to only allow `fields => basic` in multisite. Or throw
it out the window and allow all current fields. '''That said,''' let's
create a unit test that verifies that a regular administrator only
receives the current list of fields. That way if any more fields are added
in the future, we don't get surprised that a regular administrator in
multisite sees data that they shouldn't.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25016#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list