Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#55286 closed defect (bug) (invalid)

Rest Cannot Create Application Passwords

Reported by: gonzaar's profile gonza.ar Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.7
Component: REST API Keywords:
Focuses: docs, rest-api Cc:

Description

Hi!

When an api call is made to create an application password, the response is:

{
    "code": "rest_cannot_create_application_passwords",
    "message": "Sorry, you are not allowed to create application passwords for this user.",
    "data": {
        "status": 401
    }
}

Api call:

https://example.com/wp-json/wp/v2/users/1/application-passwords?name=test

The problem is in the file:
/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php
line 119 method "get_items_permissions_check"

before this line the $user variable has all the information about the user but when the function "current_user_can" is called, another function "wp_get_current_user" retrieves the current user from the global variable $current_user, and is empty. Consequently, a non-existent user is assigned or created, different from the admin user, who has all the permissions to make the request to the api.

Regards

Note: WordPress Version 5.9.1

Attachments (3)

Imagen_1_3_22_11_15_pegada.jpg (186.7 KB) - added by gonza.ar 3 years ago.
Position when is using the global current user and not the user that is in the url
Imagen_1_3_22_11_13_pegada.jpg (171.9 KB) - added by gonza.ar 3 years ago.
Here the user is assigned to the variable
Imagen_1_3_22_11_14_pegada.jpg (103.3 KB) - added by gonza.ar 3 years ago.
Here is when makes the validation if the admin user (insider args) has capabilities, but inside the destination function another variable is used

Download all attachments as: .zip

Change History (5)

@gonza.ar
3 years ago

Position when is using the global current user and not the user that is in the url

@gonza.ar
3 years ago

Here the user is assigned to the variable

@gonza.ar
3 years ago

Here is when makes the validation if the admin user (insider args) has capabilities, but inside the destination function another variable is used

#1 @TimothyBlynJacobs
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
  • Version changed from 5.9.1 to 5.7

Hi gonza.ar,

Welcome to Trac and thanks for the ticket!

This is intentional and is behaving as expected, you can see it covered by unit tests here: https://github.com/WordPress/wordpress-develop/blob/f0dfa682a5cf2004f468c18ba8d5c87c463cdeea/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php#L313

The context provided to the current_user_can check is the user that the Application Password is being created for. This allows for using map_meta_cap to further customize the capabilities required, see #51703.

If the global current user is empty, that means you aren't authenticated. You'll need to authenticate before creating Application Passwords, typically using cookies and a nonce: https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/

#2 @gonza.ar
3 years ago

Hi Timothy! Ok Thanks!

Note: See TracTickets for help on using tickets.