WordPress.org

Make WordPress Core


Ignore:
Timestamp:
05/01/2018 10:17:26 PM (4 years ago)
Author:
SergeyBiryukov
Message:

REST API: Add who=authors as a query parameter for GET wp/v2/users.

Any WordPress user who can edit_posts of a post type with show_in_rest=true can query for authors. This maps to current WordPress behavior where a WordPress user who can view the Manage Posts view for a post type can see any WordPress user assigned to a post (whether published or draft).

This implementation, over restricting who=authors to users with list_users, gives us future flexibility in displaying lists of posts. It still respects more restrictive permissions for context=edit.

Props danielbachhuber.
Merges [43001] to the 4.9 branch.
Fixes #42202.

Location:
branches/4.9
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.9

  • branches/4.9/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    r41760 r43067  
    187187        }
    188188
     189        if ( 'authors' === $request['who'] ) {
     190            $can_view = false;
     191            $types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
     192            foreach ( $types as $type ) {
     193                if ( current_user_can( $type->cap->edit_posts ) ) {
     194                    $can_view = true;
     195                }
     196            }
     197            if ( ! $can_view ) {
     198                return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
     199            }
     200        }
     201
    189202        return true;
    190203    }
     
    251264        }
    252265
    253         if ( ! current_user_can( 'list_users' ) ) {
     266        if ( isset( $registered['who'] ) && ! empty( $request['who'] ) && 'authors' === $request['who'] ) {
     267            $prepared_args['who'] = 'authors';
     268        } elseif ( ! current_user_can( 'list_users' ) ) {
    254269            $prepared_args['has_published_posts'] = get_post_types( array( 'show_in_rest' => true ), 'names' );
    255270        }
     
    13631378        );
    13641379
     1380        $query_params['who'] = array(
     1381            'description' => __( 'Limit result set to users who are considered authors.' ),
     1382            'type'        => 'string',
     1383            'enum'        => array(
     1384                'authors',
     1385            ),
     1386        );
     1387
    13651388        /**
    13661389         * Filter collection parameters for the users controller.
Note: See TracChangeset for help on using the changeset viewer.