WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
09/30/2025 05:03:26 PM (6 weeks ago)
Author:
desrosj
Message:

Grouped backports for the 5.7 branch.

  • REST API: Increase the specificity of capability checks for collections when the edit context is in use.
  • Menus: Prevent HTML in menu item titles from being rendered unexpectedly.

Merges [60814], [60815], [60816] to the 5.7 branch.

Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, phillsav, rmccue, timothyblynjacobs, vortfu, westonruter , whyisjake, zieladam.

Location:
branches/5.7
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • branches/5.7

  • branches/5.7/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    r56886 r60829  
    202202            return new WP_Error(
    203203                'rest_forbidden_context',
    204                 __( 'Sorry, you are not allowed to list users.' ),
     204                __( 'Sorry, you are not allowed to edit users.' ),
    205205                array( 'status' => rest_authorization_required_code() )
    206206            );
     
    325325
    326326        foreach ( $query->results as $user ) {
     327            if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
     328                continue;
     329            }
     330
    327331            $data    = $this->prepare_item_for_response( $user, $request );
    328332            $users[] = $this->prepare_response_for_collection( $data );
     
    424428        }
    425429
    426         if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
    427             return new WP_Error(
    428                 'rest_user_cannot_view',
    429                 __( 'Sorry, you are not allowed to list users.' ),
     430        if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
     431            return new WP_Error(
     432                'rest_forbidden_context',
     433                __( 'Sorry, you are not allowed to edit this user.' ),
    430434                array( 'status' => rest_authorization_required_code() )
    431435            );
    432         } elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) {
     436        }
     437
     438        if ( ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) && ! count_user_posts( $user->ID, $types ) ) {
    433439            return new WP_Error(
    434440                'rest_user_cannot_view',
     
    10251031        }
    10261032
    1027         if ( in_array( 'roles', $fields, true ) ) {
     1033        if ( in_array( 'roles', $fields, true ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) {
    10281034            // Defensively call array_values() to ensure an array is returned.
    10291035            $data['roles'] = array_values( $user->roles );
Note: See TracChangeset for help on using the changeset viewer.