[wp-trac] [WordPress Trac] #56166: get_item_permissions_check

WordPress Trac noreply at wordpress.org
Thu Jul 7 13:54:27 UTC 2022

#56166: get_item_permissions_check
 Reporter:  marijnboekel  |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Users         |     Version:  6.0
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:  rest-api

Comment (by marijnboekel):

 Hi Sergey, thanks for your reply!

 Replying to [comment:7 SergeyBiryukov]:
 > It was later merged to core in [38832] / #38373. Based on this part of
 the commit message:
 > > Users: Read and write access to all user data. This includes public
 access to some data for post authors.
 > I think the check is there because user profiles of authors with
 published posts are considered public and can be viewed regardless of
 current user's permission. For that purpose, the check looks correct to me
 as is.

 From that perspective it makes sense, thanks for clearing that up :)
 Although you could consider private and public post-types (in my case i
 only work with private custom post types)

 Do you have another approach i can make in order to block access to
 specific user-requests? I can't find any other usefull hooks or filters.
 I'm thinking to overwrite rest_prepare_user and add some conditions there,
 but it would be nicer to check this in the permissions check.

Ticket URL: <https://core.trac.wordpress.org/ticket/56166#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list