WordPress.org

Make WordPress Core


Ignore:
Timestamp:
02/23/2017 10:36:54 PM (3 years ago)
Author:
flixos90
Message:

REST API: Do not allow access to users from a different site in multisite.

It has been unintendedly possible to both view and edit users from a different site than the current site in multisite environments. Moreover, when passing roles to a user in an update request, that user would implicitly be added to the current site.

This changeset removes the incorrect behavior for now in order to be able to provide a proper REST API workflow for managing multisite users in the near future. Related unit tests have been adjusted as well.

Props jnylen0, jeremyfelt, johnjamesjacoby.
Fixes #39701.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    r39954 r40106  
    352352        }
    353353
     354        if ( is_multisite() && ! is_user_member_of_blog( $user->ID ) ) {
     355            return $error;
     356        }
     357
    354358        return $user;
    355359    }
     
    639643        /** This action is documented in wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php */
    640644        do_action( 'rest_insert_user', $user, $request, false );
    641 
    642         if ( is_multisite() && ! is_user_member_of_blog( $id ) ) {
    643             add_user_to_blog( get_current_blog_id(), $id, '' );
    644         }
    645645
    646646        if ( ! empty( $request['roles'] ) ) {
Note: See TracChangeset for help on using the changeset viewer.