Permalink
Browse files

REST API: Do not allow access to users from a different site in multi…

…site.

It has been unintendedly possible to both view and edit users from a different site than the current site in multisite environments. Moreover, when passing roles to a user in an update request, that user would implicitly be added to the current site.

This changeset removes the incorrect behavior for now in order to be able to provide a proper REST API workflow for managing multisite users in the near future. Related unit tests have been adjusted as well.

Props jnylen0, jeremyfelt, johnjamesjacoby.
Fixes #39701.

Built from https://develop.svn.wordpress.org/trunk@40106


git-svn-id: http://core.svn.wordpress.org/trunk@40043 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information...
felixarntz committed Feb 23, 2017
1 parent 7d421b2 commit eb8457d3f489e51bc457604a7744d8eb541707ae
Showing with 5 additions and 5 deletions.
  1. +4 −4 wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
  2. +1 −1 wp-includes/version.php
@@ -351,6 +351,10 @@ protected function get_user( $id ) {
return $error;
}
+ if ( is_multisite() && ! is_user_member_of_blog( $user->ID ) ) {
+ return $error;
+ }
+
return $user;
}
@@ -639,10 +643,6 @@ public function update_item( $request ) {
/** This action is documented in wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php */
do_action( 'rest_insert_user', $user, $request, false );
- if ( is_multisite() && ! is_user_member_of_blog( $id ) ) {
- add_user_to_blog( get_current_blog_id(), $id, '' );
- }
-
if ( ! empty( $request['roles'] ) ) {
array_map( array( $user, 'add_role' ), $request['roles'] );
}
View
@@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
-$wp_version = '4.8-alpha-40105';
+$wp_version = '4.8-alpha-40106';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

0 comments on commit eb8457d

Please sign in to comment.