[wp-trac] [WordPress Trac] #40263: REST API: Allow site admins to edit user roles in multisite

WordPress Trac noreply at wordpress.org
Sat Mar 25 17:01:31 UTC 2017 

#40263: REST API: Allow site admins to edit user roles in multisite
--------------------------+----------------------------
 Reporter:  flixos90      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Future Release
Component:  REST API      |    Version:
 Severity:  normal        |   Keywords:  2nd-opinion
  Focuses:  multisite     |
--------------------------+----------------------------
 In multisite, only network administrators can edit users. The REST API has
 that restriction in place implicitly, since the `edit_user` capability is
 automatically handled in `map_meta_cap()`, so that's good as is.

 However, on multisite a site administrator should still be able to modify
 the roles of a user from their site. This is currently not possible
 through the REST API.

 The dedicated capability `promote_user` (which is a meta capability that
 maps to `promote_users` by default) should be used to implement this
 functionality. This will return true for both site administrators and
 network administrators, while `edit_user` only works for the latter.

 I suggest to adjust
 `WP_REST_Users_Controller::update_item_permissions_check()` as described:
 * Move the check for editing the user's roles above the check for editing
 the user and use `current_user_can( 'promote_user', $user->ID )` instead
 of `current_user_can( 'edit_users' )`.
 * Only run the regular `current_user_can( 'edit_user', $user->ID )` check
 if more parameters than `id` and `roles` are attached to the request.
 Otherwise we should be able to safely assume that this request is only for
 adjusting roles.

 Some parts of the `WP_REST_Users_Controller::update_item()` method might
 need to be adjusted accordingly, but we can figure this out while working
 on a patch. Maybe that method won't even require any changes.

 This ticket is part of the task defined in #39544.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40263>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list