REST API: Don't delete posts/links when deleting/removing a user from a site in a multisite install
|Reported by:||ocean90||Owned by:||jeremyfelt|
|Component:||REST API||Keywords:||has-patch has-unit-tests commit dev-reviewed|
The current endpoint uses wp_delete_user() which also uses remove_user_from_blog() but only after removing all the posts and links.
This is critical because a) the user isn't actually deleted and b) the behaviour differs from wp-admin and can lead to unexpected data lost. While the API supports a reassign parameter it's not required to be set unlike the force parameter.
The severity of this issue can probably be a bit reduced if we require the reassign parameter for all requests. For the current default behaviour I'd have to set reassign=>null explicitly.
A related issue: The capability check differs from wp-admin too, remove_users vs. delete_users. This was already reported on the GitHub repo but without a response yet.
I've also searched through some of the issues and found a general one about "Deleting an item should always delete an item". It's also the issue where the question "What should DELETE wp/users/1 do on single site vs. multisite?" was asked. I couldn't find an answer though.
If we don't want to handle removing users via the DELETE route we may have to think about disabling the route for multisite.
Change History (31)
in reply to:
4 months ago
- Keywords has-patch has-unit-tests commit dev-feedback added; needs-patch needs-unit-tests removed