[wp-trac] [WordPress Trac] #39701: Do not allow editing users from a different site in REST API
WordPress Trac
noreply at wordpress.org
Thu Jan 26 13:29:16 UTC 2017
#39701: Do not allow editing users from a different site in REST API
--------------------------+-------------------------
Reporter: flixos90 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.7.2
Component: REST API | Version: 4.7
Severity: normal | Keywords: needs-patch
Focuses: multisite |
--------------------------+-------------------------
Currently it is possible to edit any user via the REST API when sending a
request to `wp-json/wp/v2/users/<id>`, even when the user with that ID is
not part of the current site. As discussed in multisite office-hours, this
is not desired and considered a bug. Only users of the site where the
route is accessed should be editable.
Managing users beyond a single site will only become available in a future
release, and it will work differently than this.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39701>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list