[wp-trac] [WordPress Trac] #39839: Permissions processed differently between REST API and UI access causing 403 error
WordPress Trac
noreply at wordpress.org
Fri Feb 10 19:03:49 UTC 2017
#39839: Permissions processed differently between REST API and UI access causing
403 error
--------------------------+------------------------------
Reporter: reldev | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: 4.7.2
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+------------------------------
Comment (by jnylen0):
I've tested this using a few different test users with roles
`administrator`, `author`, and `contributor`. All permissions to read my
own or another user's post behave as I would expect in both the API and in
wp-admin.
Are you sure you're logged in as the same user account in both wp-admin
and the REST API? I'd suggest visiting your user profile in wp-admin and
doing a request for `/users/me?context=edit`, and comparing the results.
There could also be a misbehaving plugin causing this issue. Have you
tried from a fresh install of WP?
For future reference, it's really helpful to provide links to places in
the WP code, rather than just files and line numbers. Line numbers will
change over time, making the ticket information invalid, and it is much
easier to follow the flow of a ticket if I don't have to stop and look up
lots of different places in the code. For example:
- https://core.trac.wordpress.org/browser/tags/4.7.2/src/wp-includes/rest-
api/endpoints/class-wp-rest-posts-controller.php?marks=1274#L1256
- https://core.trac.wordpress.org/browser/tags/4.7.2/src/wp-includes/rest-
api/class-wp-rest-server.php?marks=902#L894
I think both of these checks in the API are correct... if a user is trying
to read a post, then we need to perform the appropriate capabilities
check.
Neither of the wp-admin capabilities checks you referenced (for example
https://core.trac.wordpress.org/browser/tags/4.7.2/src/wp-
admin/includes/post.php?marks=1309#L1289) appear to be relevant to the
core flow of editing a post.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39839#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list