[wp-trac] [WordPress Trac] #39701: Do not allow editing users from a different site in REST API
WordPress Trac
noreply at wordpress.org
Tue Jan 31 16:12:45 UTC 2017
#39701: Do not allow editing users from a different site in REST API
--------------------------------------+------------------------
Reporter: flixos90 | Owner: flixos90
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 4.7.3
Component: REST API | Version: 4.7
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses: multisite
--------------------------------------+------------------------
Comment (by jeremyfelt):
We talked a bit about a `global` parameter during
[https://wordpress.slack.com/archives/core-multisite/p1484070268001145
multisite office hours] one week that could help with context switching.
I think that matching existing `wp-admin/` behavior here makes sense,
which ''somewhat'' makes this a bug. Only users with `edit_users` can edit
other users that are members of the current site or network depending on
which admin screen the action is being performed on.
I'd be okay with allowing the edit of a user that is not a member of the
current site if a `global` parameter is passed so that intention is clear.
Ideally there would also be another parameter that said "and add this user
to this site" so that global users could be managed from any site's
endpoint.
We may be okay in breaking back-compat here (with guidance from the REST
API team), but if we do then we need to really make sure it's the decision
that we want.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39701#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list