#55286 closed defect (bug) (invalid)
Rest Cannot Create Application Passwords
Reported by: | gonza.ar | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 5.7 |
Component: | REST API | Keywords: | |
Focuses: | docs, rest-api | Cc: |
Description
Hi!
When an api call is made to create an application password, the response is:
{ "code": "rest_cannot_create_application_passwords", "message": "Sorry, you are not allowed to create application passwords for this user.", "data": { "status": 401 } }
Api call:
https://example.com/wp-json/wp/v2/users/1/application-passwords?name=test
The problem is in the file:
/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php
line 119 method "get_items_permissions_check"
before this line the $user variable has all the information about the user but when the function "current_user_can" is called, another function "wp_get_current_user" retrieves the current user from the global variable $current_user, and is empty. Consequently, a non-existent user is assigned or created, different from the admin user, who has all the permissions to make the request to the api.
Regards
Note: WordPress Version 5.9.1
Attachments (3)
Change History (5)
@
3 years ago
Here is when makes the validation if the admin user (insider args) has capabilities, but inside the destination function another variable is used
#1
@
3 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
- Version changed from 5.9.1 to 5.7
Hi gonza.ar,
Welcome to Trac and thanks for the ticket!
This is intentional and is behaving as expected, you can see it covered by unit tests here: https://github.com/WordPress/wordpress-develop/blob/f0dfa682a5cf2004f468c18ba8d5c87c463cdeea/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php#L313
The context provided to the current_user_can
check is the user that the Application Password is being created for. This allows for using map_meta_cap
to further customize the capabilities required, see #51703.
If the global current user is empty, that means you aren't authenticated. You'll need to authenticate before creating Application Passwords, typically using cookies and a nonce: https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/
Position when is using the global current user and not the user that is in the url