[wp-trac] [WordPress Trac] #39701: Do not allow editing users from a different site in REST API
WordPress Trac
noreply at wordpress.org
Wed Feb 22 23:54:44 UTC 2017
#39701: Do not allow editing users from a different site in REST API
--------------------------------------+------------------------
Reporter: flixos90 | Owner: flixos90
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: 4.7.3
Component: REST API | Version: 4.7
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses: multisite
--------------------------------------+------------------------
Comment (by jnylen0):
The current multisite handling in the users endpoint makes little to no
sense. It's not something we can remotely consider enabling on WP.com,
for example. I'd like to get to a place where we can.
This, and a few other specific parts of the REST API never should have
shipped in 4.7. They're things we wish we would have addressed, but
didn't have time. IMO, not making these fixes soon after 4.7 is more
harmful to the future reliability and maintainability of the API.
The necessary first step for this particular change is to have the REST
API default to single-site mode for all operations, then add multisite
support in a careful and reasoned manner. Our public document for this
specific change is here: https://make.wordpress.org/core/2017/02/08
/improving-the-rest-api-users-endpoint-for-multisite-in-4-7-3-and-4-8/
I'm not sure that we ever created a public document for larger API changes
after 4.7, but at the very least it's been discussed in dev chats, and
@pento and I agreed that we would make limited backwards-incompatible
fixes into the first few 4.7.x releases to provide a solid foundation for
future development.
The REST API still has a few ugly quirks remaining that we need to fix
ASAP before people start depending on these behaviors. I wish we had
caught and fixed them all before 4.7, but we didn't. If I had anticipated
that we would lose the capability to make these fixes, I would have pushed
back much harder about including the API in 4.7.
> At the very least, can we create a page which mentions all the API
changes at https://developer.wordpress.org/rest-api/changelog (or
something similar)?
I'm OK with this, as well as adding any missing `@since` annotations.
I'll get the page started within the next few days.
I don't expect this specific change to be a cause for concern because we
are doing it early enough in the history of the REST API, which is really
important. If I'm wrong about that, then let's address it by creating a
plugin that preserves the ability to add users in multisite.
To summarize, this change is something that should've been done before
4.7, and if we don't do this first step now, it essentially means that the
REST API will never support multisite installations in a sane and
consistent manner.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39701#comment:23>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list