WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 months ago

#42999 closed defect (bug) (wontfix)

A Super Admin can have no caps on a /wp/v2/users/me?context=edit REST API request

Reported by: imath Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: REST API Keywords: has-patch has-unit-tests
Focuses: multisite Cc:

Description

Hi,

When testing Gutenberg, as it uses the REST API /wp/v2/users/me?context=edit request to get the current user capabilities I've noticed this request can return an empty object for the user's capabilities although the current user is a Super Administrator.

Steps to reproduce in a multisite config:

  1. log as a super administrator.
  2. create a new user from the network administration.
  3. create a new site for this created user.
  4. Request /wp/v2/users/me?context=edit on the newly created site.

I think even if a Super Admin has no role on a given site, as he can actually perform all the site's administrator actions, the site's /wp/v2/users/me?context=edit request should return the administrator's capabilities for this Super Admin.

I'm attaching a diff containing my suggestion to fix what i think is an issue + a unit test.

Attachments (2)

42999.diff (2.8 KB) - added by imath 3 years ago.
42999.2.diff (2.9 KB) - added by imath 3 years ago.

Download all attachments as: .zip

Change History (7)

@imath
3 years ago

#1 @imath
3 years ago

  • Keywords has-patch has-unit-tests added

#2 @jeremyfelt
3 years ago

We've tried to move away from is_super_admin() where we can. Would checking if the user has the manage_network capability work in this scenario?

#3 @imath
3 years ago

Hi @jeremyfelt

Oops sorry i missed this information. I've just checked and i confirm it's working.

I've added the 42999.2.diff patch in order to use the manage_network capability check.

@imath
3 years ago

#4 @pento
2 years ago

  • Version trunk deleted

#5 @TimothyBlynJacobs
3 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

I don't think this is an issue anymore since Gutenberg is now using action links and as such real user_can checks. Checking against the capabilities returned in the REST API response is of limited utility because the capabilities API isn't actually running. I'm not sure that we should be encouraging more uses of this field.

Based on that, I'm going to close this out. But if someone feels strongly about implementing it and owning it, feel free to reopen.

Note: See TracTickets for help on using tickets.