3 * REST API: WP_REST_Users_Controller class
11 * Core class used to manage users via the REST API.
15 * @see WP_REST_Controller
17 class WP_REST_Users_Controller extends WP_REST_Controller {
20 * Instance of a user meta fields object.
24 * @var WP_REST_User_Meta_Fields
34 public function __construct() {
35 $this->namespace = 'wp/v2';
36 $this->rest_base = 'users';
38 $this->meta = new WP_REST_User_Meta_Fields();
42 * Registers the routes for the objects of the controller.
47 * @see register_rest_route()
49 public function register_routes() {
51 register_rest_route( $this->namespace, '/' . $this->rest_base, array(
53 'methods' => WP_REST_Server::READABLE,
54 'callback' => array( $this, 'get_items' ),
55 'permission_callback' => array( $this, 'get_items_permissions_check' ),
56 'args' => $this->get_collection_params(),
59 'methods' => WP_REST_Server::CREATABLE,
60 'callback' => array( $this, 'create_item' ),
61 'permission_callback' => array( $this, 'create_item_permissions_check' ),
62 'args' => $this->get_endpoint_args_for_item_schema( WP_REST_Server::CREATABLE ),
64 'schema' => array( $this, 'get_public_item_schema' ),
67 register_rest_route( $this->namespace, '/' . $this->rest_base . '/(?P<id>[\d]+)', array(
70 'description' => __( 'Unique identifier for the user.' ),
75 'methods' => WP_REST_Server::READABLE,
76 'callback' => array( $this, 'get_item' ),
77 'permission_callback' => array( $this, 'get_item_permissions_check' ),
79 'context' => $this->get_context_param( array( 'default' => 'view' ) ),
83 'methods' => WP_REST_Server::EDITABLE,
84 'callback' => array( $this, 'update_item' ),
85 'permission_callback' => array( $this, 'update_item_permissions_check' ),
86 'args' => $this->get_endpoint_args_for_item_schema( WP_REST_Server::EDITABLE ),
89 'methods' => WP_REST_Server::DELETABLE,
90 'callback' => array( $this, 'delete_item' ),
91 'permission_callback' => array( $this, 'delete_item_permissions_check' ),
96 'description' => __( 'Required to be true, as users do not support trashing.' ),
100 'description' => __( 'Reassign the deleted user\'s posts and links to this user ID.' ),
102 'sanitize_callback' => array( $this, 'check_reassign' ),
106 'schema' => array( $this, 'get_public_item_schema' ),
109 register_rest_route( $this->namespace, '/' . $this->rest_base . '/me', array(
111 'methods' => WP_REST_Server::READABLE,
112 'callback' => array( $this, 'get_current_item' ),
114 'context' => $this->get_context_param( array( 'default' => 'view' ) ),
118 'methods' => WP_REST_Server::EDITABLE,
119 'callback' => array( $this, 'update_current_item' ),
120 'permission_callback' => array( $this, 'update_current_item_permissions_check' ),
121 'args' => $this->get_endpoint_args_for_item_schema( WP_REST_Server::EDITABLE ),
124 'methods' => WP_REST_Server::DELETABLE,
125 'callback' => array( $this, 'delete_current_item' ),
126 'permission_callback' => array( $this, 'delete_current_item_permissions_check' ),
131 'description' => __( 'Required to be true, as users do not support trashing.' ),
135 'description' => __( 'Reassign the deleted user\'s posts and links to this user ID.' ),
137 'sanitize_callback' => array( $this, 'check_reassign' ),
141 'schema' => array( $this, 'get_public_item_schema' ),
146 * Checks for a valid value for the reassign parameter when deleting users.
148 * The value can be an integer, 'false', false, or ''.
152 * @param int|bool $value The value passed to the reassign parameter.
153 * @param WP_REST_Request $request Full details about the request.
154 * @param string $param The parameter that is being sanitized.
156 * @return int|bool|WP_Error
158 public function check_reassign( $value, $request, $param ) {
159 if ( is_numeric( $value ) ) {
163 if ( empty( $value ) || false === $value || 'false' === $value ) {
167 return new WP_Error( 'rest_invalid_param', __( 'Invalid user parameter(s).' ), array( 'status' => 400 ) );
171 * Permissions check for getting all users.
176 * @param WP_REST_Request $request Full details about the request.
177 * @return true|WP_Error True if the request has read access, otherwise WP_Error object.
179 public function get_items_permissions_check( $request ) {
180 // Check if roles is specified in GET request and if user can list users.
181 if ( ! empty( $request['roles'] ) && ! current_user_can( 'list_users' ) ) {
182 return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to filter users by role.' ), array( 'status' => rest_authorization_required_code() ) );
185 if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
186 return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
189 if ( in_array( $request['orderby'], array( 'email', 'registered_date' ), true ) && ! current_user_can( 'list_users' ) ) {
190 return new WP_Error( 'rest_forbidden_orderby', __( 'Sorry, you are not allowed to order users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
197 * Retrieves all users.
202 * @param WP_REST_Request $request Full details about the request.
203 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
205 public function get_items( $request ) {
207 // Retrieve the list of registered collection query parameters.
208 $registered = $this->get_collection_params();
211 * This array defines mappings between public API query parameters whose
212 * values are accepted as-passed, and their internal WP_Query parameter
213 * name equivalents (some are the same). Only values which are also
214 * present in $registered will be set.
216 $parameter_mappings = array(
217 'exclude' => 'exclude',
218 'include' => 'include',
220 'per_page' => 'number',
221 'search' => 'search',
222 'roles' => 'role__in',
225 $prepared_args = array();
228 * For each known parameter which is both registered and present in the request,
229 * set the parameter's value on the query $prepared_args.
231 foreach ( $parameter_mappings as $api_param => $wp_param ) {
232 if ( isset( $registered[ $api_param ], $request[ $api_param ] ) ) {
233 $prepared_args[ $wp_param ] = $request[ $api_param ];
237 if ( isset( $registered['offset'] ) && ! empty( $request['offset'] ) ) {
238 $prepared_args['offset'] = $request['offset'];
240 $prepared_args['offset'] = ( $request['page'] - 1 ) * $prepared_args['number'];
243 if ( isset( $registered['orderby'] ) ) {
244 $orderby_possibles = array(
246 'include' => 'include',
247 'name' => 'display_name',
248 'registered_date' => 'registered',
249 'slug' => 'user_nicename',
250 'email' => 'user_email',
253 $prepared_args['orderby'] = $orderby_possibles[ $request['orderby'] ];
256 if ( ! current_user_can( 'list_users' ) ) {
257 $prepared_args['has_published_posts'] = get_post_types( array( 'show_in_rest' => true ), 'names' );
260 if ( ! empty( $prepared_args['search'] ) ) {
261 $prepared_args['search'] = '*' . $prepared_args['search'] . '*';
264 if ( isset( $registered['slug'] ) && ! empty( $request['slug'] ) ) {
265 $prepared_args['search'] = $request['slug'];
266 $prepared_args['search_columns'] = array( 'user_nicename' );
270 * Filters WP_User_Query arguments when querying users via the REST API.
272 * @link https://developer.wordpress.org/reference/classes/wp_user_query/
276 * @param array $prepared_args Array of arguments for WP_User_Query.
277 * @param WP_REST_Request $request The current request.
279 $prepared_args = apply_filters( 'rest_user_query', $prepared_args, $request );
281 $query = new WP_User_Query( $prepared_args );
285 foreach ( $query->results as $user ) {
286 $data = $this->prepare_item_for_response( $user, $request );
287 $users[] = $this->prepare_response_for_collection( $data );
290 $response = rest_ensure_response( $users );
292 // Store pagination values for headers then unset for count query.
293 $per_page = (int) $prepared_args['number'];
294 $page = ceil( ( ( (int) $prepared_args['offset'] ) / $per_page ) + 1 );
296 $prepared_args['fields'] = 'ID';
298 $total_users = $query->get_total();
300 if ( $total_users < 1 ) {
301 // Out-of-bounds, run the query again without LIMIT for total count.
302 unset( $prepared_args['number'], $prepared_args['offset'] );
303 $count_query = new WP_User_Query( $prepared_args );
304 $total_users = $count_query->get_total();
307 $response->header( 'X-WP-Total', (int) $total_users );
309 $max_pages = ceil( $total_users / $per_page );
311 $response->header( 'X-WP-TotalPages', (int) $max_pages );
313 $base = add_query_arg( $request->get_query_params(), rest_url( sprintf( '%s/%s', $this->namespace, $this->rest_base ) ) );
315 $prev_page = $page - 1;
317 if ( $prev_page > $max_pages ) {
318 $prev_page = $max_pages;
321 $prev_link = add_query_arg( 'page', $prev_page, $base );
322 $response->link_header( 'prev', $prev_link );
324 if ( $max_pages > $page ) {
325 $next_page = $page + 1;
326 $next_link = add_query_arg( 'page', $next_page, $base );
328 $response->link_header( 'next', $next_link );
335 * Get the user, if the ID is valid.
339 * @param int $id Supplied ID.
340 * @return WP_User|WP_Error True if ID is valid, WP_Error otherwise.
342 protected function get_user( $id ) {
343 $error = new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) );
344 if ( (int) $id <= 0 ) {
348 $user = get_userdata( (int) $id );
349 if ( empty( $user ) || ! $user->exists() ) {
357 * Checks if a given request has access to read a user.
362 * @param WP_REST_Request $request Full details about the request.
363 * @return true|WP_Error True if the request has read access for the item, otherwise WP_Error object.
365 public function get_item_permissions_check( $request ) {
366 $user = $this->get_user( $request['id'] );
367 if ( is_wp_error( $user ) ) {
371 $types = get_post_types( array( 'show_in_rest' => true ), 'names' );
373 if ( get_current_user_id() === $user->ID ) {
377 if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
378 return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
379 } elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) {
380 return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) );
387 * Retrieves a single user.
392 * @param WP_REST_Request $request Full details about the request.
393 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
395 public function get_item( $request ) {
396 $user = $this->get_user( $request['id'] );
397 if ( is_wp_error( $user ) ) {
401 $user = $this->prepare_item_for_response( $user, $request );
402 $response = rest_ensure_response( $user );
408 * Retrieves the current user.
413 * @param WP_REST_Request $request Full details about the request.
414 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
416 public function get_current_item( $request ) {
417 $current_user_id = get_current_user_id();
419 if ( empty( $current_user_id ) ) {
420 return new WP_Error( 'rest_not_logged_in', __( 'You are not currently logged in.' ), array( 'status' => 401 ) );
423 $user = wp_get_current_user();
424 $response = $this->prepare_item_for_response( $user, $request );
425 $response = rest_ensure_response( $response );
432 * Checks if a given request has access create users.
437 * @param WP_REST_Request $request Full details about the request.
438 * @return true|WP_Error True if the request has access to create items, WP_Error object otherwise.
440 public function create_item_permissions_check( $request ) {
442 if ( ! current_user_can( 'create_users' ) ) {
443 return new WP_Error( 'rest_cannot_create_user', __( 'Sorry, you are not allowed to create new users.' ), array( 'status' => rest_authorization_required_code() ) );
450 * Creates a single user.
455 * @param WP_REST_Request $request Full details about the request.
456 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
458 public function create_item( $request ) {
459 if ( ! empty( $request['id'] ) ) {
460 return new WP_Error( 'rest_user_exists', __( 'Cannot create existing user.' ), array( 'status' => 400 ) );
463 $schema = $this->get_item_schema();
465 if ( ! empty( $request['roles'] ) && ! empty( $schema['properties']['roles'] ) ) {
466 $check_permission = $this->check_role_update( $request['id'], $request['roles'] );
468 if ( is_wp_error( $check_permission ) ) {
469 return $check_permission;
473 $user = $this->prepare_item_for_database( $request );
475 if ( is_multisite() ) {
476 $ret = wpmu_validate_user_signup( $user->user_login, $user->user_email );
478 if ( is_wp_error( $ret['errors'] ) && ! empty( $ret['errors']->errors ) ) {
479 $error = new WP_Error( 'rest_invalid_param', __( 'Invalid user parameter(s).' ), array( 'status' => 400 ) );
480 foreach ( $ret['errors']->errors as $code => $messages ) {
481 foreach ( $messages as $message ) {
482 $error->add( $code, $message );
484 if ( $error_data = $error->get_error_data( $code ) ) {
485 $error->add_data( $error_data, $code );
492 if ( is_multisite() ) {
493 $user_id = wpmu_create_user( $user->user_login, $user->user_pass, $user->user_email );
496 return new WP_Error( 'rest_user_create', __( 'Error creating new user.' ), array( 'status' => 500 ) );
499 $user->ID = $user_id;
500 $user_id = wp_update_user( wp_slash( (array) $user ) );
502 if ( is_wp_error( $user_id ) ) {
506 add_user_to_blog( get_site()->id, $user_id, '' );
508 $user_id = wp_insert_user( wp_slash( (array) $user ) );
510 if ( is_wp_error( $user_id ) ) {
515 $user = get_user_by( 'id', $user_id );
518 * Fires immediately after a user is created or updated via the REST API.
522 * @param WP_User $user Inserted or updated user object.
523 * @param WP_REST_Request $request Request object.
524 * @param bool $creating True when creating a user, false when updating.
526 do_action( 'rest_insert_user', $user, $request, true );
528 if ( ! empty( $request['roles'] ) && ! empty( $schema['properties']['roles'] ) ) {
529 array_map( array( $user, 'add_role' ), $request['roles'] );
532 if ( ! empty( $schema['properties']['meta'] ) && isset( $request['meta'] ) ) {
533 $meta_update = $this->meta->update_value( $request['meta'], $user_id );
535 if ( is_wp_error( $meta_update ) ) {
540 $user = get_user_by( 'id', $user_id );
541 $fields_update = $this->update_additional_fields_for_object( $user, $request );
543 if ( is_wp_error( $fields_update ) ) {
544 return $fields_update;
547 $request->set_param( 'context', 'edit' );
549 $response = $this->prepare_item_for_response( $user, $request );
550 $response = rest_ensure_response( $response );
552 $response->set_status( 201 );
553 $response->header( 'Location', rest_url( sprintf( '%s/%s/%d', $this->namespace, $this->rest_base, $user_id ) ) );
559 * Checks if a given request has access to update a user.
564 * @param WP_REST_Request $request Full details about the request.
565 * @return true|WP_Error True if the request has access to update the item, WP_Error object otherwise.
567 public function update_item_permissions_check( $request ) {
568 $user = $this->get_user( $request['id'] );
569 if ( is_wp_error( $user ) ) {
573 if ( ! current_user_can( 'edit_user', $user->ID ) ) {
574 return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) );
577 if ( ! empty( $request['roles'] ) && ! current_user_can( 'edit_users' ) ) {
578 return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) );
585 * Updates a single user.
590 * @param WP_REST_Request $request Full details about the request.
591 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
593 public function update_item( $request ) {
594 $user = $this->get_user( $request['id'] );
595 if ( is_wp_error( $user ) ) {
602 return new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) );
605 if ( email_exists( $request['email'] ) && $request['email'] !== $user->user_email ) {
606 return new WP_Error( 'rest_user_invalid_email', __( 'Invalid email address.' ), array( 'status' => 400 ) );
609 if ( ! empty( $request['username'] ) && $request['username'] !== $user->user_login ) {
610 return new WP_Error( 'rest_user_invalid_argument', __( "Username isn't editable." ), array( 'status' => 400 ) );
613 if ( ! empty( $request['slug'] ) && $request['slug'] !== $user->user_nicename && get_user_by( 'slug', $request['slug'] ) ) {
614 return new WP_Error( 'rest_user_invalid_slug', __( 'Invalid slug.' ), array( 'status' => 400 ) );
617 if ( ! empty( $request['roles'] ) ) {
618 $check_permission = $this->check_role_update( $id, $request['roles'] );
620 if ( is_wp_error( $check_permission ) ) {
621 return $check_permission;
625 $user = $this->prepare_item_for_database( $request );
627 // Ensure we're operating on the same user we already checked.
630 $user_id = wp_update_user( wp_slash( (array) $user ) );
632 if ( is_wp_error( $user_id ) ) {
636 $user = get_user_by( 'id', $user_id );
638 /* This action is documented in lib/endpoints/class-wp-rest-users-controller.php */
639 do_action( 'rest_insert_user', $user, $request, false );
641 if ( is_multisite() && ! is_user_member_of_blog( $id ) ) {
642 add_user_to_blog( get_current_blog_id(), $id, '' );
645 if ( ! empty( $request['roles'] ) ) {
646 array_map( array( $user, 'add_role' ), $request['roles'] );
649 $schema = $this->get_item_schema();
651 if ( ! empty( $schema['properties']['meta'] ) && isset( $request['meta'] ) ) {
652 $meta_update = $this->meta->update_value( $request['meta'], $id );
654 if ( is_wp_error( $meta_update ) ) {
659 $user = get_user_by( 'id', $user_id );
660 $fields_update = $this->update_additional_fields_for_object( $user, $request );
662 if ( is_wp_error( $fields_update ) ) {
663 return $fields_update;
666 $request->set_param( 'context', 'edit' );
668 $response = $this->prepare_item_for_response( $user, $request );
669 $response = rest_ensure_response( $response );
675 * Checks if a given request has access to update the current user.
680 * @param WP_REST_Request $request Full details about the request.
681 * @return true|WP_Error True if the request has access to update the item, WP_Error object otherwise.
683 public function update_current_item_permissions_check( $request ) {
684 $request['id'] = get_current_user_id();
686 return $this->update_item_permissions_check( $request );
690 * Updates the current user.
695 * @param WP_REST_Request $request Full details about the request.
696 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
698 function update_current_item( $request ) {
699 $request['id'] = get_current_user_id();
701 return $this->update_item( $request );
705 * Checks if a given request has access delete a user.
710 * @param WP_REST_Request $request Full details about the request.
711 * @return true|WP_Error True if the request has access to delete the item, WP_Error object otherwise.
713 public function delete_item_permissions_check( $request ) {
714 $user = $this->get_user( $request['id'] );
715 if ( is_wp_error( $user ) ) {
719 if ( ! current_user_can( 'delete_user', $user->ID ) ) {
720 return new WP_Error( 'rest_user_cannot_delete', __( 'Sorry, you are not allowed to delete this user.' ), array( 'status' => rest_authorization_required_code() ) );
727 * Deletes a single user.
732 * @param WP_REST_Request $request Full details about the request.
733 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
735 public function delete_item( $request ) {
736 // We don't support delete requests in multisite.
737 if ( is_multisite() ) {
738 return new WP_Error( 'rest_cannot_delete', __( 'The user cannot be deleted.' ), array( 'status' => 501 ) );
740 $user = $this->get_user( $request['id'] );
741 if ( is_wp_error( $user ) ) {
746 $reassign = false === $request['reassign'] ? null : absint( $request['reassign'] );
747 $force = isset( $request['force'] ) ? (bool) $request['force'] : false;
749 // We don't support trashing for users.
751 return new WP_Error( 'rest_trash_not_supported', __( 'Users do not support trashing. Set force=true to delete.' ), array( 'status' => 501 ) );
754 if ( ! empty( $reassign ) ) {
755 if ( $reassign === $id || ! get_userdata( $reassign ) ) {
756 return new WP_Error( 'rest_user_invalid_reassign', __( 'Invalid user ID for reassignment.' ), array( 'status' => 400 ) );
760 $request->set_param( 'context', 'edit' );
762 $previous = $this->prepare_item_for_response( $user, $request );
764 /** Include admin user functions to get access to wp_delete_user() */
765 require_once ABSPATH . 'wp-admin/includes/user.php';
767 $result = wp_delete_user( $id, $reassign );
770 return new WP_Error( 'rest_cannot_delete', __( 'The user cannot be deleted.' ), array( 'status' => 500 ) );
773 $response = new WP_REST_Response();
774 $response->set_data( array( 'deleted' => true, 'previous' => $previous->get_data() ) );
777 * Fires immediately after a user is deleted via the REST API.
781 * @param WP_User $user The user data.
782 * @param WP_REST_Response $response The response returned from the API.
783 * @param WP_REST_Request $request The request sent to the API.
785 do_action( 'rest_delete_user', $user, $response, $request );
791 * Checks if a given request has access to delete the current user.
796 * @param WP_REST_Request $request Full details about the request.
797 * @return true|WP_Error True if the request has access to delete the item, WP_Error object otherwise.
799 public function delete_current_item_permissions_check( $request ) {
800 $request['id'] = get_current_user_id();
802 return $this->delete_item_permissions_check( $request );
806 * Deletes the current user.
811 * @param WP_REST_Request $request Full details about the request.
812 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
814 function delete_current_item( $request ) {
815 $request['id'] = get_current_user_id();
817 return $this->delete_item( $request );
821 * Prepares a single user output for response.
826 * @param WP_User $user User object.
827 * @param WP_REST_Request $request Request object.
828 * @return WP_REST_Response Response object.
830 public function prepare_item_for_response( $user, $request ) {
833 $schema = $this->get_item_schema();
835 if ( ! empty( $schema['properties']['id'] ) ) {
836 $data['id'] = $user->ID;
839 if ( ! empty( $schema['properties']['username'] ) ) {
840 $data['username'] = $user->user_login;
843 if ( ! empty( $schema['properties']['name'] ) ) {
844 $data['name'] = $user->display_name;
847 if ( ! empty( $schema['properties']['first_name'] ) ) {
848 $data['first_name'] = $user->first_name;
851 if ( ! empty( $schema['properties']['last_name'] ) ) {
852 $data['last_name'] = $user->last_name;
855 if ( ! empty( $schema['properties']['email'] ) ) {
856 $data['email'] = $user->user_email;
859 if ( ! empty( $schema['properties']['url'] ) ) {
860 $data['url'] = $user->user_url;
863 if ( ! empty( $schema['properties']['description'] ) ) {
864 $data['description'] = $user->description;
867 if ( ! empty( $schema['properties']['link'] ) ) {
868 $data['link'] = get_author_posts_url( $user->ID, $user->user_nicename );
871 if ( ! empty( $schema['properties']['locale'] ) ) {
872 $data['locale'] = get_user_locale( $user );
875 if ( ! empty( $schema['properties']['nickname'] ) ) {
876 $data['nickname'] = $user->nickname;
879 if ( ! empty( $schema['properties']['slug'] ) ) {
880 $data['slug'] = $user->user_nicename;
883 if ( ! empty( $schema['properties']['roles'] ) ) {
884 // Defensively call array_values() to ensure an array is returned.
885 $data['roles'] = array_values( $user->roles );
888 if ( ! empty( $schema['properties']['registered_date'] ) ) {
889 $data['registered_date'] = date( 'c', strtotime( $user->user_registered ) );
892 if ( ! empty( $schema['properties']['capabilities'] ) ) {
893 $data['capabilities'] = (object) $user->allcaps;
896 if ( ! empty( $schema['properties']['extra_capabilities'] ) ) {
897 $data['extra_capabilities'] = (object) $user->caps;
900 if ( ! empty( $schema['properties']['avatar_urls'] ) ) {
901 $data['avatar_urls'] = rest_get_avatar_urls( $user->user_email );
904 if ( ! empty( $schema['properties']['meta'] ) ) {
905 $data['meta'] = $this->meta->get_value( $user->ID, $request );
908 $context = ! empty( $request['context'] ) ? $request['context'] : 'embed';
910 $data = $this->add_additional_fields_to_object( $data, $request );
911 $data = $this->filter_response_by_context( $data, $context );
913 // Wrap the data in a response object.
914 $response = rest_ensure_response( $data );
916 $response->add_links( $this->prepare_links( $user ) );
919 * Filters user data returned from the REST API.
923 * @param WP_REST_Response $response The response object.
924 * @param object $user User object used to create response.
925 * @param WP_REST_Request $request Request object.
927 return apply_filters( 'rest_prepare_user', $response, $user, $request );
931 * Prepares links for the user request.
936 * @param WP_Post $user User object.
937 * @return array Links for the given user.
939 protected function prepare_links( $user ) {
942 'href' => rest_url( sprintf( '%s/%s/%d', $this->namespace, $this->rest_base, $user->ID ) ),
944 'collection' => array(
945 'href' => rest_url( sprintf( '%s/%s', $this->namespace, $this->rest_base ) ),
953 * Prepares a single user for creation or update.
958 * @param WP_REST_Request $request Request object.
959 * @return object $prepared_user User object.
961 protected function prepare_item_for_database( $request ) {
962 $prepared_user = new stdClass;
964 $schema = $this->get_item_schema();
966 // required arguments.
967 if ( isset( $request['email'] ) && ! empty( $schema['properties']['email'] ) ) {
968 $prepared_user->user_email = $request['email'];
971 if ( isset( $request['username'] ) && ! empty( $schema['properties']['username'] ) ) {
972 $prepared_user->user_login = $request['username'];
975 if ( isset( $request['password'] ) && ! empty( $schema['properties']['password'] ) ) {
976 $prepared_user->user_pass = $request['password'];
979 // optional arguments.
980 if ( isset( $request['id'] ) ) {
981 $prepared_user->ID = absint( $request['id'] );
984 if ( isset( $request['name'] ) && ! empty( $schema['properties']['name'] ) ) {
985 $prepared_user->display_name = $request['name'];
988 if ( isset( $request['first_name'] ) && ! empty( $schema['properties']['first_name'] ) ) {
989 $prepared_user->first_name = $request['first_name'];
992 if ( isset( $request['last_name'] ) && ! empty( $schema['properties']['last_name'] ) ) {
993 $prepared_user->last_name = $request['last_name'];
996 if ( isset( $request['nickname'] ) && ! empty( $schema['properties']['nickname'] ) ) {
997 $prepared_user->nickname = $request['nickname'];
1000 if ( isset( $request['slug'] ) && ! empty( $schema['properties']['slug'] ) ) {
1001 $prepared_user->user_nicename = $request['slug'];
1004 if ( isset( $request['description'] ) && ! empty( $schema['properties']['description'] ) ) {
1005 $prepared_user->description = $request['description'];
1008 if ( isset( $request['url'] ) && ! empty( $schema['properties']['url'] ) ) {
1009 $prepared_user->user_url = $request['url'];
1012 if ( isset( $request['locale'] ) && ! empty( $schema['properties']['locale'] ) ) {
1013 $prepared_user->locale = $request['locale'];
1016 // setting roles will be handled outside of this function.
1017 if ( isset( $request['roles'] ) ) {
1018 $prepared_user->role = false;
1022 * Filters user data before insertion via the REST API.
1026 * @param object $prepared_user User object.
1027 * @param WP_REST_Request $request Request object.
1029 return apply_filters( 'rest_pre_insert_user', $prepared_user, $request );
1033 * Determines if the current user is allowed to make the desired roles change.
1038 * @param integer $user_id User ID.
1039 * @param array $roles New user roles.
1040 * @return true|WP_Error True if the current user is allowed to make the role change,
1041 * otherwise a WP_Error object.
1043 protected function check_role_update( $user_id, $roles ) {
1046 foreach ( $roles as $role ) {
1048 if ( ! isset( $wp_roles->role_objects[ $role ] ) ) {
1049 /* translators: %s: role key */
1050 return new WP_Error( 'rest_user_invalid_role', sprintf( __( 'The role %s does not exist.' ), $role ), array( 'status' => 400 ) );
1053 $potential_role = $wp_roles->role_objects[ $role ];
1056 * Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
1057 * Multisite super admins can freely edit their blog roles -- they possess all caps.
1059 if ( ! ( is_multisite()
1060 && current_user_can( 'manage_sites' ) )
1061 && get_current_user_id() === $user_id
1062 && ! $potential_role->has_cap( 'edit_users' )
1064 return new WP_Error( 'rest_user_invalid_role', __( 'Sorry, you are not allowed to give users that role.' ), array( 'status' => rest_authorization_required_code() ) );
1067 /** Include admin functions to get access to get_editable_roles() */
1068 require_once ABSPATH . 'wp-admin/includes/admin.php';
1070 // The new role must be editable by the logged-in user.
1071 $editable_roles = get_editable_roles();
1073 if ( empty( $editable_roles[ $role ] ) ) {
1074 return new WP_Error( 'rest_user_invalid_role', __( 'Sorry, you are not allowed to give users that role.' ), array( 'status' => 403 ) );
1082 * Check a username for the REST API.
1084 * Performs a couple of checks like edit_user() in wp-admin/includes/user.php.
1088 * @param mixed $value The username submitted in the request.
1089 * @param WP_REST_Request $request Full details about the request.
1090 * @param string $param The parameter name.
1091 * @return WP_Error|string The sanitized username, if valid, otherwise an error.
1093 public function check_username( $value, $request, $param ) {
1094 $username = (string) $value;
1096 if ( ! validate_username( $username ) ) {
1097 return new WP_Error( 'rest_user_invalid_username', __( 'Username contains invalid characters.' ), array( 'status' => 400 ) );
1100 /** This filter is documented in wp-includes/user.php */
1101 $illegal_logins = (array) apply_filters( 'illegal_user_logins', array() );
1103 if ( in_array( strtolower( $username ), array_map( 'strtolower', $illegal_logins ) ) ) {
1104 return new WP_Error( 'rest_user_invalid_username', __( 'Sorry, that username is not allowed.' ), array( 'status' => 400 ) );
1111 * Check a user password for the REST API.
1113 * Performs a couple of checks like edit_user() in wp-admin/includes/user.php.
1117 * @param mixed $value The password submitted in the request.
1118 * @param WP_REST_Request $request Full details about the request.
1119 * @param string $param The parameter name.
1120 * @return WP_Error|string The sanitized password, if valid, otherwise an error.
1122 public function check_user_password( $value, $request, $param ) {
1123 $password = (string) $value;
1125 if ( empty( $password ) ) {
1126 return new WP_Error( 'rest_user_invalid_password', __( 'Passwords cannot be empty.' ), array( 'status' => 400 ) );
1129 if ( false !== strpos( $password, "\\" ) ) {
1130 return new WP_Error( 'rest_user_invalid_password', __( 'Passwords cannot contain the "\\" character.' ), array( 'status' => 400 ) );
1137 * Retrieves the user's schema, conforming to JSON Schema.
1142 * @return array Item schema data.
1144 public function get_item_schema() {
1146 '$schema' => 'http://json-schema.org/schema#',
1149 'properties' => array(
1151 'description' => __( 'Unique identifier for the user.' ),
1152 'type' => 'integer',
1153 'context' => array( 'embed', 'view', 'edit' ),
1156 'username' => array(
1157 'description' => __( 'Login name for the user.' ),
1159 'context' => array( 'edit' ),
1161 'arg_options' => array(
1162 'sanitize_callback' => array( $this, 'check_username' ),
1166 'description' => __( 'Display name for the user.' ),
1168 'context' => array( 'embed', 'view', 'edit' ),
1169 'arg_options' => array(
1170 'sanitize_callback' => 'sanitize_text_field',
1173 'first_name' => array(
1174 'description' => __( 'First name for the user.' ),
1176 'context' => array( 'edit' ),
1177 'arg_options' => array(
1178 'sanitize_callback' => 'sanitize_text_field',
1181 'last_name' => array(
1182 'description' => __( 'Last name for the user.' ),
1184 'context' => array( 'edit' ),
1185 'arg_options' => array(
1186 'sanitize_callback' => 'sanitize_text_field',
1190 'description' => __( 'The email address for the user.' ),
1192 'format' => 'email',
1193 'context' => array( 'edit' ),
1197 'description' => __( 'URL of the user.' ),
1200 'context' => array( 'embed', 'view', 'edit' ),
1202 'description' => array(
1203 'description' => __( 'Description of the user.' ),
1205 'context' => array( 'embed', 'view', 'edit' ),
1208 'description' => __( 'Author URL of the user.' ),
1211 'context' => array( 'embed', 'view', 'edit' ),
1215 'description' => __( 'Locale for the user.' ),
1217 'enum' => array_merge( array( '', 'en_US' ), get_available_languages() ),
1218 'context' => array( 'edit' ),
1220 'nickname' => array(
1221 'description' => __( 'The nickname for the user.' ),
1223 'context' => array( 'edit' ),
1224 'arg_options' => array(
1225 'sanitize_callback' => 'sanitize_text_field',
1229 'description' => __( 'An alphanumeric identifier for the user.' ),
1231 'context' => array( 'embed', 'view', 'edit' ),
1232 'arg_options' => array(
1233 'sanitize_callback' => array( $this, 'sanitize_slug' ),
1236 'registered_date' => array(
1237 'description' => __( 'Registration date for the user.' ),
1239 'format' => 'date-time',
1240 'context' => array( 'edit' ),
1244 'description' => __( 'Roles assigned to the user.' ),
1249 'context' => array( 'edit' ),
1251 'password' => array(
1252 'description' => __( 'Password for the user (never included).' ),
1254 'context' => array(), // Password is never displayed.
1256 'arg_options' => array(
1257 'sanitize_callback' => array( $this, 'check_user_password' ),
1260 'capabilities' => array(
1261 'description' => __( 'All capabilities assigned to the user.' ),
1263 'context' => array( 'edit' ),
1266 'extra_capabilities' => array(
1267 'description' => __( 'Any extra capabilities assigned to the user.' ),
1269 'context' => array( 'edit' ),
1275 if ( get_option( 'show_avatars' ) ) {
1276 $avatar_properties = array();
1278 $avatar_sizes = rest_get_avatar_sizes();
1280 foreach ( $avatar_sizes as $size ) {
1281 $avatar_properties[ $size ] = array(
1282 /* translators: %d: avatar image size in pixels */
1283 'description' => sprintf( __( 'Avatar URL with image size of %d pixels.' ), $size ),
1286 'context' => array( 'embed', 'view', 'edit' ),
1290 $schema['properties']['avatar_urls'] = array(
1291 'description' => __( 'Avatar URLs for the user.' ),
1293 'context' => array( 'embed', 'view', 'edit' ),
1295 'properties' => $avatar_properties,
1299 $schema['properties']['meta'] = $this->meta->get_field_schema();
1301 return $this->add_additional_fields_schema( $schema );
1305 * Retrieves the query params for collections.
1310 * @return array Collection parameters.
1312 public function get_collection_params() {
1313 $query_params = parent::get_collection_params();
1315 $query_params['context']['default'] = 'view';
1317 $query_params['exclude'] = array(
1318 'description' => __( 'Ensure result set excludes specific IDs.' ),
1321 'type' => 'integer',
1323 'default' => array(),
1326 $query_params['include'] = array(
1327 'description' => __( 'Limit result set to specific IDs.' ),
1330 'type' => 'integer',
1332 'default' => array(),
1335 $query_params['offset'] = array(
1336 'description' => __( 'Offset the result set by a specific number of items.' ),
1337 'type' => 'integer',
1340 $query_params['order'] = array(
1342 'description' => __( 'Order sort attribute ascending or descending.' ),
1343 'enum' => array( 'asc', 'desc' ),
1347 $query_params['orderby'] = array(
1348 'default' => 'name',
1349 'description' => __( 'Sort collection by object attribute.' ),
1362 $query_params['slug'] = array(
1363 'description' => __( 'Limit result set to users with a specific slug.' ),
1367 $query_params['roles'] = array(
1368 'description' => __( 'Limit result set to users matching at least one specific role provided. Accepts csv list or single role.' ),
1376 * Filter collection parameters for the users controller.
1378 * This filter registers the collection parameter, but does not map the
1379 * collection parameter to an internal WP_User_Query parameter. Use the
1380 * `rest_user_query` filter to set WP_User_Query arguments.
1384 * @param array $query_params JSON Schema-formatted collection parameters.
1386 return apply_filters( 'rest_user_collection_params', $query_params );