Make WordPress Core

Opened 3 months ago

Last modified 2 months ago

#42999 new defect (bug)

A Super Admin can have no caps on a /wp/v2/users/me?context=edit REST API request

Reported by: imath Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: trunk
Component: REST API Keywords: has-patch has-unit-tests
Focuses: multisite Cc:



When testing Gutenberg, as it uses the REST API /wp/v2/users/me?context=edit request to get the current user capabilities I've noticed this request can return an empty object for the user's capabilities although the current user is a Super Administrator.

Steps to reproduce in a multisite config:

  1. log as a super administrator.
  2. create a new user from the network administration.
  3. create a new site for this created user.
  4. Request /wp/v2/users/me?context=edit on the newly created site.

I think even if a Super Admin has no role on a given site, as he can actually perform all the site's administrator actions, the site's /wp/v2/users/me?context=edit request should return the administrator's capabilities for this Super Admin.

I'm attaching a diff containing my suggestion to fix what i think is an issue + a unit test.

Attachments (2)

42999.diff (2.8 KB) - added by imath 3 months ago.
42999.2.diff (2.9 KB) - added by imath 2 months ago.

Download all attachments as: .zip

Change History (5)

3 months ago

#1 @imath
3 months ago

  • Keywords has-patch has-unit-tests added

#2 @jeremyfelt
2 months ago

We've tried to move away from is_super_admin() where we can. Would checking if the user has the manage_network capability work in this scenario?

#3 @imath
2 months ago

Hi @jeremyfelt

Oops sorry i missed this information. I've just checked and i confirm it's working.

I've added the 42999.2.diff patch in order to use the manage_network capability check.

2 months ago

Note: See TracTickets for help on using tickets.