WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#40251 closed defect (bug) (wontfix)

Querying for single user in REST API after unsetting rest_user_query returns rest_user_cannot_view

Reported by: daduenn Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7.3
Component: REST API Keywords:
Focuses: rest-api Cc:
PR Number:

Description

Unsetting has_published_posts with the rest_user_query filter hook allows users who do not have published posts to show in /wp-json/wp/v2/Users . It seems that the same should work similarly for single users (/wp-json/wp/v2/Users/23) but it does not. This seems like a bug.

Change History (1)

#1 @joehoyle
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Hey daduann, thanks for the report! While it might make sense to be able to do this - this filter is just _one_ place that can change the data the rest api returns. There's other permissions checks and filters involved to make sure we don't expose all users of a site, not just ones with has_published_posts.

I think it makes sense to keep it this way, and not have this endpoint support listing all users, rather than providing a developer API to allow disabling the has_published_posts check. /users/$id doesn't use WP_User_Query so there's be no way to use this specific hook to control that either.

Feel free to re-open if you strongly disagree, but at this point I don't think we need to support this in the core endpoint. Current develop suggestion: create your own PHP subclass for the route.

Note: See TracTickets for help on using tickets.