[wp-trac] [WordPress Trac] #56166: get_item_permissions_check

WordPress Trac noreply at wordpress.org
Thu Jul 7 08:15:02 UTC 2022

#56166: get_item_permissions_check
 Reporter:  marijnboekel  |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  REST API      |     Version:  6.0
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:  rest-api

Comment (by marijnboekel):

 Replying to [comment:1 christinavoudouris]:
 I understand, and i have already filtered the list returned by the list-
 users to only return the users the client has access too.
 In this particular case i'm using the https://developer.wordpress.org
 /rest-api/reference/users/#retrieve-a-user endpoint

 Look at it like this:
 1. Frontend requests list of users from API /wp/v2/user/ . This returns a
 list of users that the logged-in user has access too. (i managed to filter
 that request through rest_user_query filter.

 2. User clicks on of the users (at a url like
 'myfrontend.tld/user/<userid>') and makes a request to the API

 3. Then change the ID in the browser-url to an ID the logged-in user does
 not have access to. The REST Api still returns the userdata

 > Hey, I looked up the users endpoint in the docs, and you can include or
 exclude users by ID:
 > https://developer.wordpress.org/rest-api/reference/users/#list-users
 > I haven't tried it with users specifically, but I know you can also do
 the same thing with posts and pages. I think that may work for you?
 > Replying to [ticket:56166 marijnboekel]:
 > > I'm using the REST Api to fetch users. The logged in user should only
 have access to some specific user ID's.
 > >
 > > I'm trying to deny access to certain users by using the
 {{{user_has_cap}}} filter, but cannot get it to work.
 > >
 > > After reading through the code from {{{WP_REST_Users_Controller}}} i
 found that the function {{{get_item_permissions_check}}} uses the AND
 {{{&&}}} operator, while i think it should be OR {{{||}}}? The {{{!
 count_user_posts( $user->ID, $types )}}} is always false (assuming the
 user has posts), so regardless of what i do in the {{{user_has_cap}}}, i
 cannot deny access.
 > >
 > > https://github.com/WordPress/wordpress-develop/blob/6.0/src/wp-
 > >
 > >
 > > Perhaps i'm approaching this the wrong way, maybe there is another way
 to achieve what i want?
 > >

Ticket URL: <https://core.trac.wordpress.org/ticket/56166#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list