Make WordPress Core

Changeset 56833


Ignore:
Timestamp:
10/12/2023 12:28:57 PM (15 months ago)
Author:
audrasjb
Message:

REST API: Limit search_columns for users without list_users.

Props Vortfu, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    r56586 r56833  
    319319
    320320        if ( ! empty( $prepared_args['search'] ) ) {
     321            if ( ! current_user_can( 'list_users' ) ) {
     322                $prepared_args['search_columns'] = array( 'ID', 'user_login', 'user_nicename', 'display_name' );
     323            }
    321324            $prepared_args['search'] = '*' . $prepared_args['search'] . '*';
    322325        }
  • trunk/tests/phpunit/tests/rest-api/rest-users-controller.php

    r56549 r56833  
    690690        $this->assertCount( 1, $data );
    691691        $this->assertSame( $adam_id, $data[0]['id'] );
     692    }
     693
     694    public function test_get_items_search_fields() {
     695        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
     696        $request->set_param( 'search', 'yololololo' );
     697        $response = rest_get_server()->dispatch( $request );
     698        $this->assertCount( 0, $response->get_data() );
     699
     700        $yolo_id = self::factory()->user->create( array( 'user_email' => 'yololololo@example.localhost' ) );
     701
     702        wp_set_current_user( self::$user );
     703        $request = new WP_REST_Request( 'GET', '/wp/v2/users' );
     704        $request->set_param( 'search', 'yololololo' );
     705        $response = rest_get_server()->dispatch( $request );
     706        $this->assertCount( 1, $response->get_data() );
     707
     708        wp_set_current_user( self::$editor );
     709        $response = rest_get_server()->dispatch( $request );
     710        $this->assertCount( 0, $response->get_data() );
    692711    }
    693712
Note: See TracChangeset for help on using the changeset viewer.