[wp-trac] [WordPress Trac] #56166: get_item_permissions_check
WordPress Trac
noreply at wordpress.org
Thu Jul 7 10:55:42 UTC 2022
#56166: get_item_permissions_check
--------------------------+------------------------------
Reporter: marijnboekel | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: 6.0
Severity: normal | Resolution:
Keywords: | Focuses: rest-api
--------------------------+------------------------------
Comment (by christinavoudouris):
Replying to [comment:4 marijnboekel]:
You may be right. I am not familiar enough with PHP so that code would
have to be tested. I suggest since you already have your app set up, to
clone the repository, make a branch with your edit and try it locally. If
there is a reason to keep the original code, your solution could still be
added as an option.
> My bad, typo. The requests are made against wp/v2/users and
wp/v2/users/:id
> I am getting results so the API is working.
> I'm just unable to deny access to specific /users/:id endpoints
depending on the logged-in user, using the {{{user_has_cap}}} filter.
> I think that is because of an incorrect if-statement on this
line:https://github.com/WordPress/wordpress-develop/blob/6.0/src/wp-
includes/rest-api/endpoints/class-wp-rest-users-controller.php#L445
> I think it should be something like
>
> {{{ if ( ! count_user_posts( $user->ID, $types ) || ( !
current_user_can( 'edit_user', $user->ID ) && ! current_user_can(
'list_users' ) ) ) }}}
>
> instead of
>
> {{{ if ( ! count_user_posts( $user->ID, $types ) && ! current_user_can(
'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) }}}
>
> Replying to [comment:3 christinavoudouris]:
> > Replying to [comment:2 marijnboekel]:
> > Well, under #1, you say you're using /wp/v2/user; you need
/wp/v2/users. Unless that's just a typo. If that's the case I'm not sure
if it's a bug, or it's not working because you're calling a new endpoint
of /wp/v2/user/<id> later on.
> >
> > > I understand, and i have already filtered the list returned by the
list-users to only return the users the client has access too.
> > > In this particular case i'm using the
https://developer.wordpress.org/rest-api/reference/users/#retrieve-a-user
endpoint
> > >
> > > Look at it like this:
> > > 1. Frontend requests list of users from API /wp/v2/user/ . This
returns a list of users that the logged-in user has access too. (i managed
to filter that request through rest_user_query filter.
> > >
> > > 2. User clicks on of the users (at a url like
'myfrontend.tld/user/<userid>') and makes a request to the API
wp/v2/user/<id>
> > >
> > > 3. Then change the ID in the browser-url to an ID the logged-in user
does not have access to. The REST Api still returns the userdata
> > >
> > > Replying to [comment:1 christinavoudouris]:
> > > > Hey, I looked up the users endpoint in the docs, and you can
include or exclude users by ID:
> > > > https://developer.wordpress.org/rest-api/reference/users/#list-
users
> > > >
> > > > I haven't tried it with users specifically, but I know you can
also do the same thing with posts and pages. I think that may work for
you?
> > > >
> > > > Replying to [ticket:56166 marijnboekel]:
> > > > > I'm using the REST Api to fetch users. The logged in user should
only have access to some specific user ID's.
> > > > >
> > > > > I'm trying to deny access to certain users by using the
{{{user_has_cap}}} filter, but cannot get it to work.
> > > > >
> > > > > After reading through the code from
{{{WP_REST_Users_Controller}}} i found that the function
{{{get_item_permissions_check}}} uses the AND {{{&&}}} operator, while i
think it should be OR {{{||}}}? The {{{! count_user_posts( $user->ID,
$types )}}} is always false (assuming the user has posts), so regardless
of what i do in the {{{user_has_cap}}}, i cannot deny access.
> > > > >
> > > > > https://github.com/WordPress/wordpress-develop/blob/6.0/src/wp-
includes/rest-api/endpoints/class-wp-rest-users-controller.php#L445
> > > > >
> > > > >
> > > > > Perhaps i'm approaching this the wrong way, maybe there is
another way to achieve what i want?
> > > > >
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56166#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list