[wp-trac] [WordPress Trac] #39544: REST API: Improve users endpoint in multisite

Wed Jan 11 11:22:15 UTC 2017

#39544: REST API: Improve users endpoint in multisite
----------------------------+----------------------------
 Reporter:  flixos90        |      Owner:
     Type:  task (blessed)  |     Status:  new
 Priority:  normal          |  Milestone:  Future Release
Component:  REST API        |    Version:
 Severity:  normal          |   Keywords:  2nd-opinion
  Focuses:  multisite       |
----------------------------+----------------------------
 As per the discussion that happened during the past two weeks' multisite
 office-hours, the REST API users endpoint needs to be improved to support
 multisite behavior.

 This ticket is supposed to act as a general task for discussion, and then
 for the actual implementation smaller spin-off tickets should be opened.

 Currently, the four steps (possibly four tickets) we're thinking about
 are:
 * The users overview at `wp-json/wp/v2/users`
  should continue to only show users of that site by default, but a request
 like `wp-json/wp/v2/users?global=true` should show all users in the
 WordPress setup. This parameter must only be available to network
 administrators though, more specifically users with the
 `manage_network_users` capability. In the future a `network` parameter
 might also be introduced for support of multi networks, but at this point
 core does not support querying users per network. Accessing global users
 should be available from all sites in a setup instead of only from the
 main site. While this approach makes these endpoints duplicates of each
 other, it has several benefits like preventing the requirement for cross-
 domain requests, allowing easier API discovery and not requiring the main
 site of a setup to be exposed to REST API calls to a sub site.
 * Assigning an existing user to a site and removing a user from a site
 should generally be only available to network administrators, and the site
 administrators of the site that is being interacted with.
 * Similarly, editing a user that does not belong to the current site
 should only be possible for a network administrator. Currently this is
 available to site administrators as well which is probably wrong.
 * Deleting any user completely should only be available to a network
 administrator. A good way to handle the `reassign` parameter needs to be
 found though.

 For background information, please read the posts at
 https://make.wordpress.org/core/2017/01/09/improving-the-rest-api-users-
 endpoint-in-multisite/ and https://make.wordpress.org/core/2017/01/11
 /controlling-access-to-rest-api-user-functionality-for-multisite/ (the
 latter contains the above list as well)

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39544>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform