[wp-trac] [WordPress Trac] #39701: Do not allow editing users from a different site in REST API
WordPress Trac
noreply at wordpress.org
Tue Feb 7 19:03:23 UTC 2017
#39701: Do not allow editing users from a different site in REST API
--------------------------------------+------------------------
Reporter: flixos90 | Owner: jnylen0
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: 4.7.3
Component: REST API | Version: 4.7
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses: multisite
--------------------------------------+------------------------
Changes (by flixos90):
* owner: flixos90 => jnylen0
* status: assigned => reviewing
Comment:
After the discussion in today's office hours we decided to do the
following for 4.7.3:
1. Fail when `GET` to `/users/<id>` and that user is not part of the
current site.
2. Fail when `PUT` to `/users/<id>` and that user is not part of the
current site.
In addition, I think the `DELETE` request to `/users/<id>` should fail in
a similar way. It already fails now as it is not supported on multisite,
but it should return the same type of error response if the user is not
part of the current site.
I implemented this behavior in [attachment:39701.2.diff], including
updated unit tests. I adjusted another existing unit test and removed
another one entirely as it didn't make sense anymore. I decided to return
a 404 error, since multisite is not really supported and in single site
scope that user simply does not exist.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39701#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list