REST API: Allow site administrators to edit user roles in multisite.

While site administrators cannot generally edit users in multisite, they have always been able to change the roles of users on their site. In the REST API however, this has not been possible so far. This changeset brings parity with how it is handled in the administration panel: A REST request to edit only a user's roles succeeds correctly, while a REST request to edit any further details of a user fails.

Props jnylen0.
Fixes #40263.

Built from https://develop.svn.wordpress.org/trunk@41226


git-svn-id: http://core.svn.wordpress.org/trunk@41066 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Felix Arntz 2017-08-03 21:59:44 +00:00
parent 7e2ca92e69
commit 1d0478d4b1
2 changed files with 15 additions and 5 deletions

View File

@ -561,12 +561,22 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
return $user;
}
if ( ! current_user_can( 'edit_user', $user->ID ) ) {
return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) );
if ( ! empty( $request['roles'] ) ) {
if ( ! current_user_can( 'promote_user', $user->ID ) ) {
return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) );
}
$request_params = array_keys( $request->get_params() );
sort( $request_params );
// If only 'id' and 'roles' are specified (we are only trying to
// edit roles), then only the 'promote_user' cap is required.
if ( $request_params === array( 'id', 'roles' ) ) {
return true;
}
}
if ( ! empty( $request['roles'] ) && ! current_user_can( 'edit_users' ) ) {
return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) );
if ( ! current_user_can( 'edit_user', $user->ID ) ) {
return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) );
}
return true;

View File

@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '4.9-alpha-41225';
$wp_version = '4.9-alpha-41226';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.