Ticket #40263: 40263.diff
File 40263.diff, 2.5 KB (added by , 7 years ago) |
---|
-
src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
570 570 return $user; 571 571 } 572 572 573 if ( ! current_user_can( 'edit_user', $user->ID ) ) { 574 return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); 573 if ( ! empty( $request['roles'] ) ) { 574 if ( ! current_user_can( 'promote_user', $user->ID ) ) { 575 return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) ); 576 } 577 578 $request_params = $request->get_params(); 579 if ( count( $request_params ) === 2 ) { 580 return true; 581 } 575 582 } 576 583 577 if ( ! empty( $request['roles'] ) && ! current_user_can( 'edit_users') ) {578 return new WP_Error( 'rest_cannot_edit _roles', __( 'Sorry, you are not allowed to edit roles ofthis user.' ), array( 'status' => rest_authorization_required_code() ) );584 if ( ! current_user_can( 'edit_user', $user->ID ) ) { 585 return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); 579 586 } 580 587 581 588 return true; -
tests/phpunit/tests/rest-api/rest-users-controller.php
1569 1569 $this->assertErrorResponse( 'rest_user_invalid_id', $response, 404 ); 1570 1570 } 1571 1571 1572 /** 1573 * @ticket 40263 1574 * @group ms-required 1575 */ 1576 public function test_update_item_only_roles_as_site_administrator() { 1577 $user_id = $this->factory->user->create( array( 1578 'role' => 'author', 1579 ) ); 1580 1581 wp_set_current_user( self::$user ); 1582 $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/users/%d', $user_id ) ); 1583 $request->set_param( 'roles', array( 'editor' ) ); 1584 $response = $this->server->dispatch( $request ); 1585 $this->assertEquals( 200, $response->get_status() ); 1586 1587 $new_data = $response->get_data(); 1588 $this->assertEquals( 'editor', $new_data['roles'][0] ); 1589 } 1590 1572 1591 public function test_update_item_invalid_password() { 1573 1592 $this->allow_user_to_manage_multisite(); 1574 1593 wp_set_current_user( self::$user );