[wp-trac] [WordPress Trac] #39701: Do not allow editing users from a different site in REST API

WordPress Trac noreply at wordpress.org
Sat Jan 28 17:33:03 UTC 2017

#39701: Do not allow editing users from a different site in REST API
 Reporter:  flixos90                  |       Owner:  flixos90
     Type:  defect (bug)              |      Status:  assigned
 Priority:  normal                    |   Milestone:  4.7.3
Component:  REST API                  |     Version:  4.7
 Severity:  normal                    |  Resolution:
 Keywords:  has-patch has-unit-tests  |     Focuses:  multisite

Comment (by johnjamesjacoby):

 Thought did go into it, and this is what the original authors thought was
 best, even if we don't agree ourselves. :)

 If it's a bug, we should fix the bug, but that doesn't seem to be the

 If this is just the way the `v1` API works, we can't change it because
 it's a public API. If anything, parity with core functions to restrict it
 to super admins seems like the bug fix that's least likely to cause

 We've been lucky to be able to take some liberty with private multisite
 APIs, but public ones are pretty much for life until deprecated. If we're
 deprecating this already, I imagine we'll want to run that past the REST
 API team to discuss what that looks like in core.

Ticket URL: <https://core.trac.wordpress.org/ticket/39701#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list