#39155 closed defect (bug) (invalid)
REST API: User with default admin role cannot create or edit users via rest api
Reported by: | friendlyfire | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.7 |
Component: | Users | Keywords: | |
Focuses: | multisite, rest-api | Cc: |
Description
SUMMARY:
When acting as an site administrator on a multisite install and attempting create a user or update an existing user on the following endpoint:
/wp-json/wp/v2/users/141?context=edit
I get:
403 "rest_cannot_edit"
REPRODUCTION STEPS:
- Spin up a fresh 4.7 wp multisite install.
- create a subsite with a new user with the default administrator role.
- authenticate as the subsite admin by logging in.
- create some sort of js form that posts to the api endpoint for a user (we're doing this via angular).
for example:
$.ajax( { url: WP_API_Settings.root + ‘wp/v2/users/’, method: ‘POST’, beforeSend: function ( xhr ) { xhr.setRequestHeader( ‘X-WP-Nonce’, WP_API_Settings.nonce ); }, data:{ email: ‘someone@somewhere.net’, username: ‘someone’, password: Math.random().toString(36).substring(7) } } ).done( function ( response ) { console.log( response ); } )
- Make sure that you're passing the WP_API_Settings.nonce to the js so you can post back to the api.
- Submit request.
CURRENT RESULTS:
The response is 403 "rest_cannot_edit".
EXPECTED RESULTS:
A 200 response for any role that has the privelege to create, upodate or delete users. ( I confirmed this doesn't work with custom roles either).
SIDE NOTE:
If you did this with a super admin role for the multisite network, you get a 200 response on the PUT or POST to the users endpoint.
Change History (7)
#2
@
8 years ago
- Summary changed from REST API: User with default admin role cannot create new user via rest api to REST API: User with default admin role cannot create or edit users via rest api
#4
@
8 years ago
- Keywords reporter-feedback added
- Milestone changed from 4.8 to 4.7.1
This is correct behaviour. A regular administrator on a multisite installation does not have the ability to edit users.
Does the user you're authenticating with have the ability to edit users through the admin area?
#5
@
8 years ago
- Resolution set to invalid
- Status changed from new to closed
omg. Years of using MS and I never knew this how?!
Ok, well, sorry for the false alarm. I found a way around it for now. Thank you!
#6
@
8 years ago
- Keywords reporter-feedback removed
- Milestone 4.7.1 deleted
Thanks for the update. Glad it's not an issue.
Something similar reported here - https://github.com/WP-API/WP-API/issues/2944
See #38962 for previous discussion around multisite users, mostly related to deleting.