[wp-trac] [WordPress Trac] #39544: REST API: Improve users endpoint in multisite

Tue Aug 17 17:51:51 UTC 2021

#39544: REST API: Improve users endpoint in multisite
----------------------------+-----------------------------
 Reporter:  flixos90        |       Owner:  (none)
     Type:  task (blessed)  |      Status:  new
 Priority:  normal          |   Milestone:  Future Release
Component:  REST API        |     Version:
 Severity:  normal          |  Resolution:
 Keywords:  ms-roadmap      |     Focuses:  multisite
----------------------------+-----------------------------

Comment (by johnjamesjacoby):

 I have some ideas I have not seen discussed yet, and maybe some variations
 on existing ones.

 1. I am not a big fan of `global=true`. It feels bolted on (because it is)
 instead of an intentional part of the API design. Users in WordPress are
 always technically global no matter the installation type; Roles and Caps
 just happen to grant them access to Sites and Networks.
 1. User management for Sites could be part of a `/sites` route instead of
 `/users`. This would sidestep problems with multisite awareness, as the
 multisite specific routes would not be registered on single-site
 installations. It also could perhaps provide an alternative route to list
 the users of specific sites, etc...
 1. User management for Networks could be part of a `/networks` route. This
 doesn't exist in WordPress core at all, but perhaps we can incrementally
 start experimenting with it.

 * `GET wp/v2/users` always returns all users regardless of site
 * `GET wp/v2/sites/<id>/users` returns users with Caps on the specified
 site
 * `GET wp/v2/users/<id>` returns a user
 * `GET wp/v2/sites/<id>/users/<id>` returns a user if Capped on the
 specified site
 * `POST/PUT/PATCH wp/v2/users/<id>` updates any user
 * `POST wp/v2/users` creates a new user
 * `POST wp/v2/sites/<id>/users/add/<email|id>` adds an existing user to
 the current site
 * `DELETE wp/v2/users/<id>` deletes any user entirely⭐️
 * `DELETE wp/v2/sites/<id>/users/<id>` deletes a user from a site

 ⭐️ Should deleting a user entirely check for authored content and fail if
 they have any? Could a `force=true` flag be added or something?

 The only obvious problem with that API design is that it exposes site IDs,
 which may or may not be desirable. It also is perhaps more work, and
 enables capable users to make requests at one site to affect another one,
 which is kind of weird and I don't really love either now that I'm typing
 this.

 Oh well. Sharing anyways just to get my thoughts out! 😅

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39544#comment:26>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform