WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
09/30/2025 05:00:33 PM (5 months ago)
Author:
desrosj
Message:

Grouped backports for the 6.6 branch.

  • REST API: Increase the specificity of capability checks for collections when the edit context is in use.
  • Menus: Prevent HTML in menu item titles from being rendered unexpectedly.

Merges [60814], [60815], [60816] to the 6.6 branch.

Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, phillsav, rmccue, timothyblynjacobs, vortfu, westonruter , whyisjake, zieladam.

Location:
branches/6.6
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • branches/6.6

  • branches/6.6/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    r58408 r60820  
    221221            return new WP_Error(
    222222                'rest_forbidden_context',
    223                 __( 'Sorry, you are not allowed to list users.' ),
     223                __( 'Sorry, you are not allowed to edit users.' ),
    224224                array( 'status' => rest_authorization_required_code() )
    225225            );
     
    351351
    352352        foreach ( $query->results as $user ) {
     353            if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
     354                continue;
     355            }
     356
    353357            $data    = $this->prepare_item_for_response( $user, $request );
    354358            $users[] = $this->prepare_response_for_collection( $data );
     
    450454        }
    451455
    452         if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
    453             return new WP_Error(
    454                 'rest_user_cannot_view',
    455                 __( 'Sorry, you are not allowed to list users.' ),
     456        if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
     457            return new WP_Error(
     458                'rest_forbidden_context',
     459                __( 'Sorry, you are not allowed to edit this user.' ),
    456460                array( 'status' => rest_authorization_required_code() )
    457461            );
    458         } elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) {
     462        }
     463
     464        if ( ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) && ! count_user_posts( $user->ID, $types ) ) {
    459465            return new WP_Error(
    460466                'rest_user_cannot_view',
     
    10511057        }
    10521058
    1053         if ( in_array( 'roles', $fields, true ) ) {
     1059        if ( in_array( 'roles', $fields, true ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) {
    10541060            // Defensively call array_values() to ensure an array is returned.
    10551061            $data['roles'] = array_values( $user->roles );
Note: See TracChangeset for help on using the changeset viewer.