[wp-trac] [WordPress Trac] #56166: get_item_permissions_check
WordPress Trac
noreply at wordpress.org
Thu Jul 7 09:06:46 UTC 2022
#56166: get_item_permissions_check
--------------------------+------------------------------
Reporter: marijnboekel | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: 6.0
Severity: normal | Resolution:
Keywords: | Focuses: rest-api
--------------------------+------------------------------
Comment (by marijnboekel):
My bad, typo. The requests are made against wp/v2/users and
wp/v2/users/:id
I am getting results so the API is working.
I'm just unable to deny access to specific /users/:id endpoints depending
on the logged-in user, using the {{{user_has_cap}}} filter.
I think that is because of an incorrect if-statement on this
line:https://github.com/WordPress/wordpress-develop/blob/6.0/src/wp-
includes/rest-api/endpoints/class-wp-rest-users-controller.php#L445
I think it should be something like
{{{ if ( ! count_user_posts( $user->ID, $types ) || ( ! current_user_can(
'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) ) }}}
instead of
{{{ if ( ! count_user_posts( $user->ID, $types ) && ! current_user_can(
'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) }}}
Replying to [comment:3 christinavoudouris]:
> Replying to [comment:2 marijnboekel]:
> Well, under #1, you say you're using /wp/v2/user; you need /wp/v2/users.
Unless that's just a typo. If that's the case I'm not sure if it's a bug,
or it's not working because you're calling a new endpoint of
/wp/v2/user/<id> later on.
>
> > I understand, and i have already filtered the list returned by the
list-users to only return the users the client has access too.
> > In this particular case i'm using the https://developer.wordpress.org
/rest-api/reference/users/#retrieve-a-user endpoint
> >
> > Look at it like this:
> > 1. Frontend requests list of users from API /wp/v2/user/ . This
returns a list of users that the logged-in user has access too. (i managed
to filter that request through rest_user_query filter.
> >
> > 2. User clicks on of the users (at a url like
'myfrontend.tld/user/<userid>') and makes a request to the API
wp/v2/user/<id>
> >
> > 3. Then change the ID in the browser-url to an ID the logged-in user
does not have access to. The REST Api still returns the userdata
> >
> > Replying to [comment:1 christinavoudouris]:
> > > Hey, I looked up the users endpoint in the docs, and you can include
or exclude users by ID:
> > > https://developer.wordpress.org/rest-api/reference/users/#list-users
> > >
> > > I haven't tried it with users specifically, but I know you can also
do the same thing with posts and pages. I think that may work for you?
> > >
> > > Replying to [ticket:56166 marijnboekel]:
> > > > I'm using the REST Api to fetch users. The logged in user should
only have access to some specific user ID's.
> > > >
> > > > I'm trying to deny access to certain users by using the
{{{user_has_cap}}} filter, but cannot get it to work.
> > > >
> > > > After reading through the code from {{{WP_REST_Users_Controller}}}
i found that the function {{{get_item_permissions_check}}} uses the AND
{{{&&}}} operator, while i think it should be OR {{{||}}}? The {{{!
count_user_posts( $user->ID, $types )}}} is always false (assuming the
user has posts), so regardless of what i do in the {{{user_has_cap}}}, i
cannot deny access.
> > > >
> > > > https://github.com/WordPress/wordpress-develop/blob/6.0/src/wp-
includes/rest-api/endpoints/class-wp-rest-users-controller.php#L445
> > > >
> > > >
> > > > Perhaps i'm approaching this the wrong way, maybe there is another
way to achieve what i want?
> > > >
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56166#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list