WordPress.org
Get WordPress

Make WordPress Core

Changeset 41226


Ignore:
Timestamp:
08/03/2017 09:58:50 PM (6 years ago)
Author:
flixos90
Message:

REST API: Allow site administrators to edit user roles in multisite.

While site administrators cannot generally edit users in multisite, they have always been able to change the roles of users on their site. In the REST API however, this has not been possible so far. This changeset brings parity with how it is handled in the administration panel: A REST request to edit only a user's roles succeeds correctly, while a REST request to edit any further details of a user fails.

Props jnylen0.
Fixes #40263.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    r41225 r41226  
    562562        }
    563563
     564        if ( ! empty( $request['roles'] ) ) {
     565            if ( ! current_user_can( 'promote_user', $user->ID ) ) {
     566                return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) );
     567            }
     568
     569            $request_params = array_keys( $request->get_params() );
     570            sort( $request_params );
     571            // If only 'id' and 'roles' are specified (we are only trying to
     572            // edit roles), then only the 'promote_user' cap is required.
     573            if ( $request_params === array( 'id', 'roles' ) ) {
     574                return true;
     575            }
     576        }
     577
    564578        if ( ! current_user_can( 'edit_user', $user->ID ) ) {
    565579            return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) );
    566         }
    567 
    568         if ( ! empty( $request['roles'] ) && ! current_user_can( 'edit_users' ) ) {
    569             return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) );
    570580        }
    571581

  • trunk/tests/phpunit/tests/rest-api/rest-users-controller.php

    r41225 r41226  
    15921592
    15931593        $this->assertErrorResponse( 'rest_user_invalid_id', $response, 404 );
     1594    }
     1595
     1596    /**
     1597     * @ticket 40263
     1598     */
     1599    public function test_update_item_only_roles_as_editor() {
     1600        $user_id = $this->factory->user->create( array(
     1601            'role' => 'author',
     1602        ) );
     1603
     1604        wp_set_current_user( self::$editor );
     1605        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/users/%d', $user_id ) );
     1606        $request->set_param( 'roles', array( 'editor' ) );
     1607        $response = $this->server->dispatch( $request );
     1608        $this->assertErrorResponse( 'rest_cannot_edit_roles', $response, 403 );
     1609    }
     1610
     1611    /**
     1612     * @ticket 40263
     1613     */
     1614    public function test_update_item_only_roles_as_site_administrator() {
     1615        $user_id = $this->factory->user->create( array(
     1616            'role' => 'author',
     1617        ) );
     1618
     1619        wp_set_current_user( self::$user );
     1620        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/users/%d', $user_id ) );
     1621        $request->set_param( 'roles', array( 'editor' ) );
     1622        $response = $this->server->dispatch( $request );
     1623        $this->assertEquals( 200, $response->get_status() );
     1624
     1625        $new_data = $response->get_data();
     1626        $this->assertEquals( 'editor', $new_data['roles'][0] );
     1627    }
     1628
     1629    /**
     1630     * @ticket 40263
     1631     */
     1632    public function test_update_item_including_roles_and_other_params() {
     1633        $user_id = $this->factory->user->create( array(
     1634            'role' => 'author',
     1635        ) );
     1636
     1637        wp_set_current_user( self::$user );
     1638        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/users/%d', $user_id ) );
     1639        $request->set_param( 'roles', array( 'editor' ) );
     1640        $request->set_param( 'name', 'Short-Lived User' );
     1641        $response = $this->server->dispatch( $request );
     1642
     1643        if ( is_multisite() ) {
     1644            // Site administrators can promote users, as verified by the
     1645            // previous test, but they cannot perform other user-editing
     1646            // operations.  This also tests the branch of logic that verifies
     1647            // that no parameters other than 'id' and 'roles' are specified for
     1648            // a roles update.
     1649            $this->assertErrorResponse( 'rest_cannot_edit', $response, 403 );
     1650        } else {
     1651            $this->assertEquals( 200, $response->get_status() );
     1652
     1653            $new_data = $response->get_data();
     1654            $this->assertEquals( 'editor', $new_data['roles'][0] );
     1655        }
    15941656    }
    15951657
Note: See TracChangeset for help on using the changeset viewer.