From 1d0478d4b1f335556da4c7cb9f2cc45443cf5953 Mon Sep 17 00:00:00 2001 From: Felix Arntz Date: Thu, 3 Aug 2017 21:59:44 +0000 Subject: [PATCH] REST API: Allow site administrators to edit user roles in multisite. While site administrators cannot generally edit users in multisite, they have always been able to change the roles of users on their site. In the REST API however, this has not been possible so far. This changeset brings parity with how it is handled in the administration panel: A REST request to edit only a user's roles succeeds correctly, while a REST request to edit any further details of a user fails. Props jnylen0. Fixes #40263. Built from https://develop.svn.wordpress.org/trunk@41226 git-svn-id: http://core.svn.wordpress.org/trunk@41066 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- .../class-wp-rest-users-controller.php | 18 ++++++++++++++---- wp-includes/version.php | 2 +- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php index fa688a2614..58046ba5ce 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php @@ -561,12 +561,22 @@ class WP_REST_Users_Controller extends WP_REST_Controller { return $user; } - if ( ! current_user_can( 'edit_user', $user->ID ) ) { - return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); + if ( ! empty( $request['roles'] ) ) { + if ( ! current_user_can( 'promote_user', $user->ID ) ) { + return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) ); + } + + $request_params = array_keys( $request->get_params() ); + sort( $request_params ); + // If only 'id' and 'roles' are specified (we are only trying to + // edit roles), then only the 'promote_user' cap is required. + if ( $request_params === array( 'id', 'roles' ) ) { + return true; + } } - if ( ! empty( $request['roles'] ) && ! current_user_can( 'edit_users' ) ) { - return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) ); + if ( ! current_user_can( 'edit_user', $user->ID ) ) { + return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); } return true; diff --git a/wp-includes/version.php b/wp-includes/version.php index be8a37031e..4cca781705 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.9-alpha-41225'; +$wp_version = '4.9-alpha-41226'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.