Changeset 60837 for branches/4.9/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

Timestamp:

09/30/2025 05:06:24 PM (3 months ago)

Author:

desrosj

Message:

Grouped backports for the 4.9 branch.

• REST API: Increase the specificity of capability checks for collections when the edit context is in use.
• Menus: Prevent HTML in menu item titles from being rendered unexpectedly.

Merges [60814], [60815], [60816] to the 4.9 branch.

Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, phillsav, rmccue, timothyblynjacobs, vortfu, westonruter , whyisjake, zieladam.

Location:

branches/4.9

Files:

• . (modified) (1 prop)
• src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php (modified) (4 diffs)

branches/4.9/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

@@ -180 +180 @@
 
         if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
-            return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
+            return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit users.' ), array( 'status' => rest_authorization_required_code() ) );
         }
 
@@ -294 +294 @@
 
         foreach ( $query->results as $user ) {
+            if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
+                continue;
+            }
+
             $data = $this->prepare_item_for_response( $user, $request );
             $users[] = $this->prepare_response_for_collection( $data );
@@ -388 +392 @@
         }
 
-        if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
-            return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
-        } elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) {
+        if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
+            return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) );
+        }
+
+        if ( ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) && ! count_user_posts( $user->ID, $types ) ) {
             return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
         }
@@ -891 +897 @@
         }
 
-        if ( in_array( 'roles', $fields, true ) ) {
+        if ( in_array( 'roles', $fields, true ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) {
             // Defensively call array_values() to ensure an array is returned.
             $data['roles'] = array_values( $user->roles );