[wp-trac] [WordPress Trac] #39544: REST API: Improve users endpoint in multisite
WordPress Trac
noreply at wordpress.org
Wed Jan 11 11:22:15 UTC 2017
#39544: REST API: Improve users endpoint in multisite
----------------------------+----------------------------
Reporter: flixos90 | Owner:
Type: task (blessed) | Status: new
Priority: normal | Milestone: Future Release
Component: REST API | Version:
Severity: normal | Keywords: 2nd-opinion
Focuses: multisite |
----------------------------+----------------------------
As per the discussion that happened during the past two weeks' multisite
office-hours, the REST API users endpoint needs to be improved to support
multisite behavior.
This ticket is supposed to act as a general task for discussion, and then
for the actual implementation smaller spin-off tickets should be opened.
Currently, the four steps (possibly four tickets) we're thinking about
are:
* The users overview at `wp-json/wp/v2/users`
should continue to only show users of that site by default, but a request
like `wp-json/wp/v2/users?global=true` should show all users in the
WordPress setup. This parameter must only be available to network
administrators though, more specifically users with the
`manage_network_users` capability. In the future a `network` parameter
might also be introduced for support of multi networks, but at this point
core does not support querying users per network. Accessing global users
should be available from all sites in a setup instead of only from the
main site. While this approach makes these endpoints duplicates of each
other, it has several benefits like preventing the requirement for cross-
domain requests, allowing easier API discovery and not requiring the main
site of a setup to be exposed to REST API calls to a sub site.
* Assigning an existing user to a site and removing a user from a site
should generally be only available to network administrators, and the site
administrators of the site that is being interacted with.
* Similarly, editing a user that does not belong to the current site
should only be possible for a network administrator. Currently this is
available to site administrators as well which is probably wrong.
* Deleting any user completely should only be available to a network
administrator. A good way to handle the `reassign` parameter needs to be
found though.
For background information, please read the posts at
https://make.wordpress.org/core/2017/01/09/improving-the-rest-api-users-
endpoint-in-multisite/ and https://make.wordpress.org/core/2017/01/11
/controlling-access-to-rest-api-user-functionality-for-multisite/ (the
latter contains the above list as well)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39544>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list