Make WordPress Core

Changeset 53882


Ignore:
Timestamp:
08/11/2022 06:22:59 PM (2 years ago)
Author:
johnbillion
Message:

Application Passwords: Allow a Super Admin to set an application password on a site they're not a member of.

This removes the requirement that a Super Admin must be a member of the current site when they attempt to set an application password within the admin area of an individual site on the network.

Props TimothyBlynJacobs, ilovecats7, johnbillion, georgestephanis, johnjamesjacoby

Fixes #53224

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php

    r53760 r53882  
    720720        }
    721721
    722         if ( is_multisite() && ! is_user_member_of_blog( $user->ID ) ) {
     722        if ( is_multisite() && ! user_can( $user->ID, 'manage_sites' ) && ! is_user_member_of_blog( $user->ID ) ) {
    723723            return $error;
    724724        }
  • trunk/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php

    r52398 r53882  
    408408        $response = rest_do_request( $request );
    409409        $this->assertErrorResponse( 'rest_user_invalid_id', $response, 404 );
     410    }
     411
     412    /**
     413     * @ticket 53224
     414     * @group ms-required
     415     */
     416    public function test_create_item_for_super_admin_on_site_where_they_are_not_a_member() {
     417        wp_set_current_user( self::$admin );
     418
     419        // Create a site where the Super Admin is not a member.
     420        $blog_id = self::factory()->blog->create(
     421            array(
     422                'user_id' => self::$subscriber_id,
     423            )
     424        );
     425
     426        switch_to_blog( $blog_id );
     427
     428        $request = new WP_REST_Request( 'POST', '/wp/v2/users/me/application-passwords' );
     429        $request->set_body_params( array( 'name' => 'App' ) );
     430        $response = rest_do_request( $request );
     431
     432        restore_current_blog();
     433
     434        $this->assertNotWPError( $response );
     435        $this->assertSame( 201, $response->get_status() );
    410436    }
    411437
Note: See TracChangeset for help on using the changeset viewer.