Changeset 56871 for branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

Timestamp:

10/12/2023 02:59:28 PM (3 years ago)

Author:

davidbaumwald

Message:

Grouped backports to the 5.0 branch.

• Comments: Prevent users who can not see a post from seeing comments on it.
• Shortcodes: Restrict media shortcode ajax to certain type.
• REST API: Ensure no-cache headers are sent when methods are overridden.
• REST API: Limit search_columns for users without list_users.
• Prevent unintended behavior when certain objects are unserialized.

Merges [56833], [56834], [56835], [56836], and [56838] to the 5.0 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.

File:

• branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php (modified) (1 diff)

branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

@@ -272 +272 @@
 
         if ( ! empty( $prepared_args['search'] ) ) {
+            if ( ! current_user_can( 'list_users' ) ) {
+                $prepared_args['search_columns'] = array( 'ID', 'user_login', 'user_nicename', 'display_name' );
+            }
             $prepared_args['search'] = '*' . $prepared_args['search'] . '*';
         }