Opened 7 years ago
Closed 4 years ago
#42999 closed defect (bug) (wontfix)
A Super Admin can have no caps on a /wp/v2/users/me?context=edit REST API request
Reported by: | imath | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | REST API | Keywords: | has-patch has-unit-tests |
Focuses: | multisite | Cc: |
Description
Hi,
When testing Gutenberg, as it uses the REST API /wp/v2/users/me?context=edit
request to get the current user capabilities I've noticed this request can return an empty object for the user's capabilities although the current user is a Super Administrator.
Steps to reproduce in a multisite config:
- log as a super administrator.
- create a new user from the network administration.
- create a new site for this created user.
- Request
/wp/v2/users/me?context=edit
on the newly created site.
I think even if a Super Admin has no role on a given site, as he can actually perform all the site's administrator actions, the site's /wp/v2/users/me?context=edit
request should return the administrator's capabilities for this Super Admin.
I'm attaching a diff containing my suggestion to fix what i think is an issue + a unit test.
Attachments (2)
Change History (7)
#3
@
7 years ago
Hi @jeremyfelt
Oops sorry i missed this information. I've just checked and i confirm it's working.
I've added the 42999.2.diff patch in order to use the manage_network
capability check.
#5
@
4 years ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
I don't think this is an issue anymore since Gutenberg is now using action links and as such real user_can
checks. Checking against the capabilities
returned in the REST API response is of limited utility because the capabilities API isn't actually running. I'm not sure that we should be encouraging more uses of this field.
Based on that, I'm going to close this out. But if someone feels strongly about implementing it and owning it, feel free to reopen.
We've tried to move away from
is_super_admin()
where we can. Would checking if the user has themanage_network
capability work in this scenario?