[wp-trac] [WordPress Trac] #56166: get_item_permissions_check

WordPress Trac noreply at wordpress.org
Thu Jul 7 08:57:52 UTC 2022 

#56166: get_item_permissions_check
--------------------------+------------------------------
 Reporter:  marijnboekel  |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  REST API      |     Version:  6.0
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:  rest-api
--------------------------+------------------------------

Comment (by christinavoudouris):

 Replying to [comment:2 marijnboekel]:
 Well, under #1, you say you're using /wp/v2/user; you need /wp/v2/users.
 Unless that's just a typo. If that's the case I'm not sure if it's a bug,
 or it's not working because you're calling a new endpoint of
 /wp/v2/user/<id> later on.

 > I understand, and i have already filtered the list returned by the list-
 users to only return the users the client has access too.
 > In this particular case i'm using the https://developer.wordpress.org
 /rest-api/reference/users/#retrieve-a-user endpoint
 >
 > Look at it like this:
 > 1. Frontend requests list of users from API /wp/v2/user/ . This returns
 a list of users that the logged-in user has access too. (i managed to
 filter that request through rest_user_query filter.
 >
 > 2. User clicks on of the users (at a url like
 'myfrontend.tld/user/<userid>') and makes a request to the API
 wp/v2/user/<id>
 >
 > 3. Then change the ID in the browser-url to an ID the logged-in user
 does not have access to. The REST Api still returns the userdata
 >
 > Replying to [comment:1 christinavoudouris]:
 > > Hey, I looked up the users endpoint in the docs, and you can include
 or exclude users by ID:
 > > https://developer.wordpress.org/rest-api/reference/users/#list-users
 > >
 > > I haven't tried it with users specifically, but I know you can also do
 the same thing with posts and pages. I think that may work for you?
 > >
 > > Replying to [ticket:56166 marijnboekel]:
 > > > I'm using the REST Api to fetch users. The logged in user should
 only have access to some specific user ID's.
 > > >
 > > > I'm trying to deny access to certain users by using the
 {{{user_has_cap}}} filter, but cannot get it to work.
 > > >
 > > > After reading through the code from {{{WP_REST_Users_Controller}}} i
 found that the function {{{get_item_permissions_check}}} uses the AND
 {{{&&}}} operator, while i think it should be OR {{{||}}}? The {{{!
 count_user_posts( $user->ID, $types )}}} is always false (assuming the
 user has posts), so regardless of what i do in the {{{user_has_cap}}}, i
 cannot deny access.
 > > >
 > > > https://github.com/WordPress/wordpress-develop/blob/6.0/src/wp-
 includes/rest-api/endpoints/class-wp-rest-users-controller.php#L445
 > > >
 > > >
 > > > Perhaps i'm approaching this the wrong way, maybe there is another
 way to achieve what i want?
 > > >

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56166#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list