Changeset 40106 for trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

Timestamp:

02/23/2017 10:36:54 PM (7 years ago)

Author:

flixos90

Message:

REST API: Do not allow access to users from a different site in multisite.

It has been unintendedly possible to both view and edit users from a different site than the current site in multisite environments. Moreover, when passing roles to a user in an update request, that user would implicitly be added to the current site.

This changeset removes the incorrect behavior for now in order to be able to provide a proper REST API workflow for managing multisite users in the near future. Related unit tests have been adjusted as well.

Props jnylen0, jeremyfelt, johnjamesjacoby.
Fixes #39701.

File:

• trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php (modified) (2 diffs)

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

@@ -352 +352 @@
         }
 
+        if ( is_multisite() && ! is_user_member_of_blog( $user->ID ) ) {
+            return $error;
+        }
+
         return $user;
     }
@@ -639 +643 @@
         /** This action is documented in wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php */
         do_action( 'rest_insert_user', $user, $request, false );
-
-        if ( is_multisite() && ! is_user_member_of_blog( $id ) ) {
-            add_user_to_blog( get_current_blog_id(), $id, '' );
-        }
 
         if ( ! empty( $request['roles'] ) ) {