Index: src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php =================================================================== --- src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php (revision 40596) +++ src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php (working copy) @@ -570,12 +570,19 @@ return $user; } - if ( ! current_user_can( 'edit_user', $user->ID ) ) { - return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); + if ( ! empty( $request['roles'] ) ) { + if ( ! current_user_can( 'promote_user', $user->ID ) ) { + return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) ); + } + + $request_params = $request->get_params(); + if ( count( $request_params ) === 2 ) { + return true; + } } - if ( ! empty( $request['roles'] ) && ! current_user_can( 'edit_users' ) ) { - return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) ); + if ( ! current_user_can( 'edit_user', $user->ID ) ) { + return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); } return true; Index: tests/phpunit/tests/rest-api/rest-users-controller.php =================================================================== --- tests/phpunit/tests/rest-api/rest-users-controller.php (revision 40596) +++ tests/phpunit/tests/rest-api/rest-users-controller.php (working copy) @@ -1569,6 +1569,25 @@ $this->assertErrorResponse( 'rest_user_invalid_id', $response, 404 ); } + /** + * @ticket 40263 + * @group ms-required + */ + public function test_update_item_only_roles_as_site_administrator() { + $user_id = $this->factory->user->create( array( + 'role' => 'author', + ) ); + + wp_set_current_user( self::$user ); + $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/users/%d', $user_id ) ); + $request->set_param( 'roles', array( 'editor' ) ); + $response = $this->server->dispatch( $request ); + $this->assertEquals( 200, $response->get_status() ); + + $new_data = $response->get_data(); + $this->assertEquals( 'editor', $new_data['roles'][0] ); + } + public function test_update_item_invalid_password() { $this->allow_user_to_manage_multisite(); wp_set_current_user( self::$user );