Changeset 60838 for branches/4.8/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

Timestamp:

09/30/2025 05:06:32 PM (6 months ago)

Author:

desrosj

Message:

Grouped backports for the 4.8 branch.

• REST API: Increase the specificity of capability checks for collections when the edit context is in use.
• Menus: Prevent HTML in menu item titles from being rendered unexpectedly.

Merges [60814], [60815], [60816] to the 4.8 branch.

Props andraganescu, desrosj, ehti, hurayraiit, iandunn, joehoyle, johnbillion, jorbin, mnelson4, noisysocks, peterwilsoncc, phillsav, rmccue, timothyblynjacobs, vortfu, westonruter , whyisjake, zieladam.

Location:

branches/4.8

Files:

• . (modified) (1 prop)
• src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php (modified) (4 diffs)

branches/4.8/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

@@ -185 +185 @@
 
         if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
-            return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
+            return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit users.' ), array( 'status' => rest_authorization_required_code() ) );
         }
 
@@ -283 +283 @@
 
         foreach ( $query->results as $user ) {
+            if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
+                continue;
+            }
             $data = $this->prepare_item_for_response( $user, $request );
             $users[] = $this->prepare_response_for_collection( $data );
@@ -378 +381 @@
         }
 
-        if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
-            return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
+        if ( 'edit' === $request['context'] && ! current_user_can( 'edit_user', $user->ID ) ) {
+            return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) );
         } elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) {
             return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
@@ -880 +883 @@
         }
 
-        if ( ! empty( $schema['properties']['roles'] ) ) {
+        if ( ! empty( $schema['properties']['roles'] ) && ( current_user_can( 'list_users' ) || current_user_can( 'edit_user', $user->ID ) ) ) {
             // Defensively call array_values() to ensure an array is returned.
             $data['roles'] = array_values( $user->roles );