[wp-trac] [WordPress Trac] #56166: get_item_permissions_check

WordPress Trac noreply at wordpress.org
Thu Jul 7 13:41:58 UTC 2022

#56166: get_item_permissions_check
 Reporter:  marijnboekel  |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  REST API      |     Version:  6.0
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:  rest-api

Comment (by SergeyBiryukov):

 Hi there, welcome to WordPress Trac! Thanks for the ticket.

 Replying to [comment:6 marijnboekel]:
 > I'm trying to understand why this count_user_posts is there in the first
 > In my opinion we should be able to fetch a user, regardless if the user
 has zero posts.
 > if so, we could eliminate the count_user_posts entirely

 I have tracked down the `count_user_posts()` check to [https://github.com
 /WP-API/WP-API/commit/cc24233688b868606eb87eb60159532efd73ce5d this
 commit], where REST API was still a feature plugin.

 It was later merged to core in [38832] / #38373. Based on this part of the
 commit message:
 > Users: Read and write access to all user data. This includes public
 access to some data for post authors.

 I think the check is there because user profiles of authors with published
 posts are considered public and can be viewed regardless of current user's
 permission. For that purpose, the check looks correct to me as is.

Ticket URL: <https://core.trac.wordpress.org/ticket/56166#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list