[wp-trac] [WordPress Trac] #39701: Do not allow editing users from a different site in REST API
WordPress Trac
noreply at wordpress.org
Tue Feb 14 18:16:45 UTC 2017
#39701: Do not allow editing users from a different site in REST API
--------------------------------------+------------------------
Reporter: flixos90 | Owner: jnylen0
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: 4.7.3
Component: REST API | Version: 4.7
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses: multisite
--------------------------------------+------------------------
Comment (by jeremyfelt):
[attachment:39701.2.diff] is looking good, thanks @flixos90.
User configuration:
* User 1 is a member of sites 1 and 2 and is a published author on both
sites.
* User 2 is a member of site 1.
* User 3 is a member of site 2.
* User 4 does not exist.
When unauthenticated:
* `GET` to `site.com/site-two/wp-json/wp/v2/users/1` returns user
information.
* `PUT` to `site.com/site-two/wp-json/wp/v2/users/1` returns a
`rest_cannot_edit` error.
* `GET` to `site.com/site-two/wp-json/wp/v2/users/2` returns a
`rest_user_invalid_id` error.
* `PUT` to `site.com/site-two/wp-json/wp/v2/users/2` returns a
`rest_user_invalid_id` error.
* `GET` to `site.com/site-two/wp-json/wp/v2/users/3` returns a
`rest_user_cannot_view` error.
* `PUT` to `site.com/site-two/wp-json/wp/v2/users/3` returns a
`rest_cannot_edit` error.
* `GET` to `site.com/site-two/wp-json/wp/v2/users/4` returns a
`rest_user_invalid_id` error.
* `PUT` to `site.com/site-two/wp-json/wp/v2/users/4` returns a
`rest_user_invalid_id` error.
When authenticated:
* `GET` to `site.com/site-two/wp-json/wp/v2/users/1` returns user
information.
* `PUT` to `site.com/site-two/wp-json/wp/v2/users/1` with new nickname
updates nickname.
* `GET` to `site.com/site-two/wp-json/wp/v2/users/2` returns a
`rest_user_invalid_id` error.
* `PUT` to `site.com/site-two/wp-json/wp/v2/users/2` returns a
`rest_user_invalid_id` error.
* `GET` to `site.com/site-two/wp-json/wp/v2/users/3` returns user
information.
* `PUT` to `site.com/site-two/wp-json/wp/v2/users/3` with new nickname
updates nickname.
* `GET` to `site.com/site-two/wp-json/wp/v2/users/4` returns a
`rest_user_invalid_id` error.
* `PUT` to `site.com/site-two/wp-json/wp/v2/users/4` returns a
`rest_user_invalid_id` error.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39701#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list