[wp-trac] [WordPress Trac] #39701: Do not allow editing users from a different site in REST API

WordPress Trac noreply at wordpress.org
Sat Jan 28 14:24:22 UTC 2017

#39701: Do not allow editing users from a different site in REST API
 Reporter:  flixos90                  |       Owner:  flixos90
     Type:  defect (bug)              |      Status:  assigned
 Priority:  normal                    |   Milestone:  4.7.3
Component:  REST API                  |     Version:  4.7
 Severity:  normal                    |  Resolution:
 Keywords:  has-patch has-unit-tests  |     Focuses:  multisite
Changes (by flixos90):

 * keywords:  needs-patch => has-patch has-unit-tests


 [attachment:39701.diff] is the patch where I've implemented my two
 suggestions from the above comment.
 * Only super admins can `GET` users from another site.
 * Nobody can add an existing user to the current site (via `UPDATE`). This
 is handled by returning an error if roles of a user who is not part of the
 site should be updated.

 The patch also includes 5 tests to verify everything works as expected.
 One existing test has been basically reversed because it was assuming that
 a user would automatically be added to the current site in an `UPDATE`
 request. So this change is obviously backward-incompatible, but I think
 that's okay since it was a bug before.

 Ping @jeremyfelt and @jnylen0 for feedback.

Ticket URL: <https://core.trac.wordpress.org/ticket/39701#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list