Changeset 41226
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
r41225 r41226 562 562 } 563 563 564 if ( ! empty( $request['roles'] ) ) { 565 if ( ! current_user_can( 'promote_user', $user->ID ) ) { 566 return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) ); 567 } 568 569 $request_params = array_keys( $request->get_params() ); 570 sort( $request_params ); 571 // If only 'id' and 'roles' are specified (we are only trying to 572 // edit roles), then only the 'promote_user' cap is required. 573 if ( $request_params === array( 'id', 'roles' ) ) { 574 return true; 575 } 576 } 577 564 578 if ( ! current_user_can( 'edit_user', $user->ID ) ) { 565 579 return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); 566 }567 568 if ( ! empty( $request['roles'] ) && ! current_user_can( 'edit_users' ) ) {569 return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) );570 580 } 571 581 -
trunk/tests/phpunit/tests/rest-api/rest-users-controller.php
r41225 r41226 1592 1592 1593 1593 $this->assertErrorResponse( 'rest_user_invalid_id', $response, 404 ); 1594 } 1595 1596 /** 1597 * @ticket 40263 1598 */ 1599 public function test_update_item_only_roles_as_editor() { 1600 $user_id = $this->factory->user->create( array( 1601 'role' => 'author', 1602 ) ); 1603 1604 wp_set_current_user( self::$editor ); 1605 $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/users/%d', $user_id ) ); 1606 $request->set_param( 'roles', array( 'editor' ) ); 1607 $response = $this->server->dispatch( $request ); 1608 $this->assertErrorResponse( 'rest_cannot_edit_roles', $response, 403 ); 1609 } 1610 1611 /** 1612 * @ticket 40263 1613 */ 1614 public function test_update_item_only_roles_as_site_administrator() { 1615 $user_id = $this->factory->user->create( array( 1616 'role' => 'author', 1617 ) ); 1618 1619 wp_set_current_user( self::$user ); 1620 $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/users/%d', $user_id ) ); 1621 $request->set_param( 'roles', array( 'editor' ) ); 1622 $response = $this->server->dispatch( $request ); 1623 $this->assertEquals( 200, $response->get_status() ); 1624 1625 $new_data = $response->get_data(); 1626 $this->assertEquals( 'editor', $new_data['roles'][0] ); 1627 } 1628 1629 /** 1630 * @ticket 40263 1631 */ 1632 public function test_update_item_including_roles_and_other_params() { 1633 $user_id = $this->factory->user->create( array( 1634 'role' => 'author', 1635 ) ); 1636 1637 wp_set_current_user( self::$user ); 1638 $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/users/%d', $user_id ) ); 1639 $request->set_param( 'roles', array( 'editor' ) ); 1640 $request->set_param( 'name', 'Short-Lived User' ); 1641 $response = $this->server->dispatch( $request ); 1642 1643 if ( is_multisite() ) { 1644 // Site administrators can promote users, as verified by the 1645 // previous test, but they cannot perform other user-editing 1646 // operations. This also tests the branch of logic that verifies 1647 // that no parameters other than 'id' and 'roles' are specified for 1648 // a roles update. 1649 $this->assertErrorResponse( 'rest_cannot_edit', $response, 403 ); 1650 } else { 1651 $this->assertEquals( 200, $response->get_status() ); 1652 1653 $new_data = $response->get_data(); 1654 $this->assertEquals( 'editor', $new_data['roles'][0] ); 1655 } 1594 1656 } 1595 1657
Note: See TracChangeset
for help on using the changeset viewer.