WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#39155 closed defect (bug) (invalid)

REST API: User with default admin role cannot create or edit users via rest api

Reported by: friendlyfire Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7
Component: Users Keywords:
Focuses: multisite, rest-api Cc:
PR Number:

Description

SUMMARY:

When acting as an site administrator on a multisite install and attempting create a user or update an existing user on the following endpoint:

/wp-json/wp/v2/users/141?context=edit

I get:

403 "rest_cannot_edit"

REPRODUCTION STEPS:

  • Spin up a fresh 4.7 wp multisite install.
  • create a subsite with a new user with the default administrator role.
  • authenticate as the subsite admin by logging in.
  • create some sort of js form that posts to the api endpoint for a user (we're doing this via angular).

for example:

$.ajax( {
  url: WP_API_Settings.root + ‘wp/v2/users/’,
  method: ‘POST’,
  beforeSend: function ( xhr ) {
  xhr.setRequestHeader( ‘X-WP-Nonce’, WP_API_Settings.nonce );
},
  data:{
  email: ‘someone@somewhere.net’,
  username: ‘someone’,
  password: Math.random().toString(36).substring(7)
 }
} ).done( function ( response ) {
  console.log( response );
} )
  • Make sure that you're passing the WP_API_Settings.nonce to the js so you can post back to the api.
  • Submit request.

CURRENT RESULTS:
The response is 403 "rest_cannot_edit".

EXPECTED RESULTS:
A 200 response for any role that has the privelege to create, upodate or delete users. ( I confirmed this doesn't work with custom roles either).

SIDE NOTE:
If you did this with a super admin role for the multisite network, you get a 200 response on the PUT or POST to the users endpoint.

Change History (7)

#1 @swissspidy
3 years ago

  • Component changed from HTTP API to Users
  • Focuses multisite added

#2 @friendlyfire
3 years ago

  • Summary changed from REST API: User with default admin role cannot create new user via rest api to REST API: User with default admin role cannot create or edit users via rest api

#3 @jnylen0
3 years ago

  • Milestone changed from Awaiting Review to 4.8

Something similar reported here - https://github.com/WP-API/WP-API/issues/2944

See #38962 for previous discussion around multisite users, mostly related to deleting.

#4 @johnbillion
3 years ago

  • Keywords reporter-feedback added
  • Milestone changed from 4.8 to 4.7.1

This is correct behaviour. A regular administrator on a multisite installation does not have the ability to edit users.

Does the user you're authenticating with have the ability to edit users through the admin area?

#5 @friendlyfire
3 years ago

  • Resolution set to invalid
  • Status changed from new to closed

omg. Years of using MS and I never knew this how?!

Ok, well, sorry for the false alarm. I found a way around it for now. Thank you!

#6 @johnbillion
3 years ago

  • Keywords reporter-feedback removed
  • Milestone 4.7.1 deleted

Thanks for the update. Glad it's not an issue.

This ticket was mentioned in Slack in #core-multisite by jeremyfelt. View the logs.


3 years ago

Note: See TracTickets for help on using tickets.