Make WordPress Core


Ignore:
Timestamp:
02/24/2017 08:45:52 PM (8 years ago)
Author:
SergeyBiryukov
Message:

REST API: Do not allow access to users from a different site in multisite.

It has been unintendedly possible to both view and edit users from a different site than the current site in multisite environments. Moreover, when passing roles to a user in an update request, that user would implicitly be added to the current site.

This changeset removes the incorrect behavior for now in order to be able to provide a proper REST API workflow for managing multisite users in the near future. Related unit tests have been adjusted as well.

Props jnylen0, jeremyfelt, johnjamesjacoby.
Merges [40106] to the 4.7 branch.
Fixes #39701.

Location:
branches/4.7
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.7

  • branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    r39957 r40111  
    351351        }
    352352
     353        if ( is_multisite() && ! is_user_member_of_blog( $user->ID ) ) {
     354            return $error;
     355        }
     356
    353357        return $user;
    354358    }
     
    638642        /* This action is documented in lib/endpoints/class-wp-rest-users-controller.php */
    639643        do_action( 'rest_insert_user', $user, $request, false );
    640 
    641         if ( is_multisite() && ! is_user_member_of_blog( $id ) ) {
    642             add_user_to_blog( get_current_blog_id(), $id, '' );
    643         }
    644644
    645645        if ( ! empty( $request['roles'] ) ) {
Note: See TracChangeset for help on using the changeset viewer.