diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php index fa688a2614..58046ba5ce 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php @@ -561,12 +561,22 @@ class WP_REST_Users_Controller extends WP_REST_Controller { return $user; } - if ( ! current_user_can( 'edit_user', $user->ID ) ) { - return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); + if ( ! empty( $request['roles'] ) ) { + if ( ! current_user_can( 'promote_user', $user->ID ) ) { + return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) ); + } + + $request_params = array_keys( $request->get_params() ); + sort( $request_params ); + // If only 'id' and 'roles' are specified (we are only trying to + // edit roles), then only the 'promote_user' cap is required. + if ( $request_params === array( 'id', 'roles' ) ) { + return true; + } } - if ( ! empty( $request['roles'] ) && ! current_user_can( 'edit_users' ) ) { - return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) ); + if ( ! current_user_can( 'edit_user', $user->ID ) ) { + return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); } return true; diff --git a/wp-includes/version.php b/wp-includes/version.php index be8a37031e..4cca781705 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.9-alpha-41225'; +$wp_version = '4.9-alpha-41226'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.