[wp-trac] [WordPress Trac] #39701: Do not allow editing users from a different site in REST API
WordPress Trac
noreply at wordpress.org
Sat Jan 28 14:02:33 UTC 2017
#39701: Do not allow editing users from a different site in REST API
--------------------------+------------------------
Reporter: flixos90 | Owner: flixos90
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 4.7.3
Component: REST API | Version: 4.7
Severity: normal | Resolution:
Keywords: needs-patch | Focuses: multisite
--------------------------+------------------------
Comment (by flixos90):
While working on a patch, I took a closer look at the current state of
users in the REST API in a multisite environment. Some of our initial
observations were slightly incorrect. Referring to
https://make.wordpress.org/core/2017/01/11/controlling-access-to-rest-api-
user-functionality-for-multisite/:
> It is possible to both read and edit any user from any site with a
request to `wp-json/wp/v2/users/<id>`, regardless of whether the user is
part of that site.
The thing certain to be a bug currently is that it is possible to read any
user from any site with a `GET` request. If possible at all, this should
only be available if the current user is a super admin.
The updating bit of the above quote is wrong: Updating a user in multisite
is only available to super admins, no site administrator can send a
`POST/PUT/PATCH` successfully, as in the permission check
`current_user_can( 'edit_user', $user_id )` returns false unless a super
admin. That is because in `map_meta_cap()` 'edit_user' maps to
'do_not_allow' in a multisite unless the current user can
`manage_network_users`. Also when updating a user through the REST API as
a super admin, that user is automatically added to the current site if
they haven't been a member of it before. I kind of see where this is
coming from, but I think that should be removed as well as we'll probably
wanna have more clear control about that.
So I would suggest to do the following for 4.7.3:
* Reading a user from another site (via `GET` request) should only be
available to super admins (can be checked with `current_user_can(
'edit_user', $user_id )` because of the mapping explained above).
* Since updating is currently only available to super admins anyway, we
don't need to worry too much about permissions of an `UPDATE` request. I
would suggest though to remove the automatic call to `add_user_to_blog()`
and instead return an error if a request tries to set roles on a user that
is not part of the current site. This change would ensure that in the
current state both adding and removing a user from a site is not possible,
which would allow us to come up with a sophisticated approach for 4.8.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39701#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list