[wp-trac] [WordPress Trac] #39701: Do not allow editing users from a different site in REST API
WordPress Trac
noreply at wordpress.org
Sat Jan 28 14:24:22 UTC 2017
#39701: Do not allow editing users from a different site in REST API
--------------------------------------+------------------------
Reporter: flixos90 | Owner: flixos90
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 4.7.3
Component: REST API | Version: 4.7
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses: multisite
--------------------------------------+------------------------
Changes (by flixos90):
* keywords: needs-patch => has-patch has-unit-tests
Comment:
[attachment:39701.diff] is the patch where I've implemented my two
suggestions from the above comment.
* Only super admins can `GET` users from another site.
* Nobody can add an existing user to the current site (via `UPDATE`). This
is handled by returning an error if roles of a user who is not part of the
site should be updated.
The patch also includes 5 tests to verify everything works as expected.
One existing test has been basically reversed because it was assuming that
a user would automatically be added to the current site in an `UPDATE`
request. So this change is obviously backward-incompatible, but I think
that's okay since it was a bug before.
Ping @jeremyfelt and @jnylen0 for feedback.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39701#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list