[wp-trac] [WordPress Trac] #25016: XMLRPC method "wp.getUsers" not working correctly on WordPress.com

WordPress Trac noreply at wordpress.org
Tue Aug 13 13:42:57 UTC 2013


#25016: XMLRPC method "wp.getUsers" not working correctly on WordPress.com
--------------------------+------------------------------
 Reporter:  dinomic       |       Owner:
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  XML-RPC       |     Version:  trunk
 Severity:  normal        |  Resolution:
 Keywords:                |
--------------------------+------------------------------

Comment (by nacin):

 In multisite, only super admins have the edit_users capability. To a mere
 administrator who can list users, _prepare_user() might return more data
 than they can otherwise see in a user list. (Granted, not much — like
 registered date, names other than the display name, etc.)

 One option could be to only allow `fields => basic` in multisite. Or throw
 it out the window and allow all current fields. '''That said,''' let's
 create a unit test that verifies that a regular administrator only
 receives the current list of fields. That way if any more fields are added
 in the future, we don't get surprised that a regular administrator in
 multisite sees data that they shouldn't.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25016#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list