WordPress.org

Make WordPress Core

Opened 15 months ago

Last modified 12 months ago

#44648 new defect (bug)

User creation even though an error is thrown

Reported by: apermo Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 4.9.7
Component: REST API Keywords: needs-patch needs-unit-tests
Focuses: Cc:
PR Number:

Description (last modified by SergeyBiryukov)

I just had an issue, the issue itself pretty mush doubles like this issue #40889

When creating a new account including a (registered) custom meta I get the following error message.

{
"code":"rest_cannot_update",
"message":"Sorry, you are not allowed to edit the _r24b_remote_id custom field.",
"data":{"key":"_r24b_remote_id","status":403}
}

But even though throwing an error, the user is created anyway, but I don't get the User ID in return.

Sending the unchanged request a second time will now cause this answer

{
"code":"existing_user_login",
"message":"Der Benutzername existiert bereits!",
"data":null
}

So besides the bug from the other ticket.

A nested error like in my case should either make the whole creat process fail(or undo the successful first part of the creation) or the error message should contain the information that the user was created and only the meta field failed.

Change History (8)

#1 @flixos90
15 months ago

  • Keywords needs-patch needs-unit-tests added
  • Milestone changed from Awaiting Review to 5.0

#2 @apermo
15 months ago

  • Keywords needs-patch needs-unit-tests removed

Ok, the first part of my problem is solved thanks to @flixos90

My code was missing a auth_callback, but the issue that a nested error will not return the information that the user itself was created is still an issue.

Without testing, I assume that the same problem will also occur for any other item type, in case of posts leading to double postings.

#3 @apermo
15 months ago

  • Keywords needs-patch needs-unit-tests added

#4 @SergeyBiryukov
15 months ago

  • Description modified (diff)

#5 @apermo
12 months ago

I figured out what happens here.

<?php
protected function update_meta_value( $object_id, $meta_key, $name, $value ) {
   $meta_type = $this->get_meta_type();
   if ( ! current_user_can(  "edit_{$meta_type}_meta", $object_id, $meta_key ) ) {
...

Upon creating a new element $object_id is 0 when this function is called, and thus current_user_can will return false.

This error also applies to setting meta for any other type like categories, post_tags... With the same impact, the element is created but a 403 is returned.

This ticket was mentioned in Slack in #core-restapi by apermo. View the logs.


12 months ago

This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.


12 months ago

#8 @danielbachhuber
12 months ago

  • Milestone changed from 5.0 to Future Release

Punting to Future Release because this isn't necessary for 5.0.

Note: See TracTickets for help on using tickets.