WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
09/30/2025 05:01:27 PM (3 months ago)
Author:
desrosj
Message:

Grouped backports for the 6.3 branch.

  • REST API: Increase the specificity of capability checks for collections when the edit context is in use.
  • Menus: Prevent HTML in menu item titles from being rendered unexpectedly.

Merges [60814], [60815], [60816] to the 6.3 branch.

Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, phillsav, rmccue, timothyblynjacobs, vortfu, westonruter , whyisjake, zieladam.

Location:
branches/6.3
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • branches/6.3

  • branches/6.3/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    r56840 r60823  
    211211            return new WP_Error(
    212212                'rest_forbidden_context',
    213                 __( 'Sorry, you are not allowed to list users.' ),
     213                __( 'Sorry, you are not allowed to edit users.' ),
    214214                array( 'status' => rest_authorization_required_code() )
    215215            );
     
    341341
    342342        foreach ( $query->results as $user ) {
     343            if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
     344                continue;
     345            }
     346
    343347            $data    = $this->prepare_item_for_response( $user, $request );
    344348            $users[] = $this->prepare_response_for_collection( $data );
     
    440444        }
    441445
    442         if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
    443             return new WP_Error(
    444                 'rest_user_cannot_view',
    445                 __( 'Sorry, you are not allowed to list users.' ),
     446        if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
     447            return new WP_Error(
     448                'rest_forbidden_context',
     449                __( 'Sorry, you are not allowed to edit this user.' ),
    446450                array( 'status' => rest_authorization_required_code() )
    447451            );
    448         } elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) {
     452        }
     453
     454        if ( ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) && ! count_user_posts( $user->ID, $types ) ) {
    449455            return new WP_Error(
    450456                'rest_user_cannot_view',
     
    10401046        }
    10411047
    1042         if ( in_array( 'roles', $fields, true ) ) {
     1048        if ( in_array( 'roles', $fields, true ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) {
    10431049            // Defensively call array_values() to ensure an array is returned.
    10441050            $data['roles'] = array_values( $user->roles );
Note: See TracChangeset for help on using the changeset viewer.