X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/0f74cdeda4c069bfbb9c4131ef1352f55b6f8499..4ea0dca21bda49aab5ccb91ec12bb4ef5924ed3e:/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php index 3e44884a..454d4989 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php @@ -65,6 +65,12 @@ class WP_REST_Users_Controller extends WP_REST_Controller { ) ); register_rest_route( $this->namespace, '/' . $this->rest_base . '/(?P[\d]+)', array( + 'args' => array( + 'id' => array( + 'description' => __( 'Unique identifier for the user.' ), + 'type' => 'integer', + ), + ), array( 'methods' => WP_REST_Server::READABLE, 'callback' => array( $this, 'get_item' ), @@ -325,6 +331,28 @@ class WP_REST_Users_Controller extends WP_REST_Controller { return $response; } + /** + * Get the user, if the ID is valid. + * + * @since 4.7.2 + * + * @param int $id Supplied ID. + * @return WP_User|WP_Error True if ID is valid, WP_Error otherwise. + */ + protected function get_user( $id ) { + $error = new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) ); + if ( (int) $id <= 0 ) { + return $error; + } + + $user = get_userdata( (int) $id ); + if ( empty( $user ) || ! $user->exists() ) { + return $error; + } + + return $user; + } + /** * Checks if a given request has access to read a user. * @@ -335,22 +363,20 @@ class WP_REST_Users_Controller extends WP_REST_Controller { * @return true|WP_Error True if the request has read access for the item, otherwise WP_Error object. */ public function get_item_permissions_check( $request ) { + $user = $this->get_user( $request['id'] ); + if ( is_wp_error( $user ) ) { + return $user; + } - $id = (int) $request['id']; - $user = get_userdata( $id ); $types = get_post_types( array( 'show_in_rest' => true ), 'names' ); - if ( empty( $id ) || empty( $user->ID ) ) { - return new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) ); - } - - if ( get_current_user_id() === $id ) { + if ( get_current_user_id() === $user->ID ) { return true; } if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) { return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) ); - } elseif ( ! count_user_posts( $id, $types ) && ! current_user_can( 'edit_user', $id ) && ! current_user_can( 'list_users' ) ) { + } elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) { return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) ); } @@ -367,11 +393,9 @@ class WP_REST_Users_Controller extends WP_REST_Controller { * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure. */ public function get_item( $request ) { - $id = (int) $request['id']; - $user = get_userdata( $id ); - - if ( empty( $id ) || empty( $user->ID ) ) { - return new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) ); + $user = $this->get_user( $request['id'] ); + if ( is_wp_error( $user ) ) { + return $user; } $user = $this->prepare_item_for_response( $user, $request ); @@ -541,10 +565,12 @@ class WP_REST_Users_Controller extends WP_REST_Controller { * @return true|WP_Error True if the request has access to update the item, WP_Error object otherwise. */ public function update_item_permissions_check( $request ) { + $user = $this->get_user( $request['id'] ); + if ( is_wp_error( $user ) ) { + return $user; + } - $id = (int) $request['id']; - - if ( ! current_user_can( 'edit_user', $id ) ) { + if ( ! current_user_can( 'edit_user', $user->ID ) ) { return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); } @@ -565,8 +591,12 @@ class WP_REST_Users_Controller extends WP_REST_Controller { * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure. */ public function update_item( $request ) { - $id = (int) $request['id']; - $user = get_userdata( $id ); + $user = $this->get_user( $request['id'] ); + if ( is_wp_error( $user ) ) { + return $user; + } + + $id = $user->ID; if ( ! $user ) { return new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) ); @@ -681,10 +711,12 @@ class WP_REST_Users_Controller extends WP_REST_Controller { * @return true|WP_Error True if the request has access to delete the item, WP_Error object otherwise. */ public function delete_item_permissions_check( $request ) { + $user = $this->get_user( $request['id'] ); + if ( is_wp_error( $user ) ) { + return $user; + } - $id = (int) $request['id']; - - if ( ! current_user_can( 'delete_user', $id ) ) { + if ( ! current_user_can( 'delete_user', $user->ID ) ) { return new WP_Error( 'rest_user_cannot_delete', __( 'Sorry, you are not allowed to delete this user.' ), array( 'status' => rest_authorization_required_code() ) ); } @@ -705,8 +737,12 @@ class WP_REST_Users_Controller extends WP_REST_Controller { if ( is_multisite() ) { return new WP_Error( 'rest_cannot_delete', __( 'The user cannot be deleted.' ), array( 'status' => 501 ) ); } + $user = $this->get_user( $request['id'] ); + if ( is_wp_error( $user ) ) { + return $user; + } - $id = (int) $request['id']; + $id = $user->ID; $reassign = false === $request['reassign'] ? null : absint( $request['reassign'] ); $force = isset( $request['force'] ) ? (bool) $request['force'] : false; @@ -715,12 +751,6 @@ class WP_REST_Users_Controller extends WP_REST_Controller { return new WP_Error( 'rest_trash_not_supported', __( 'Users do not support trashing. Set force=true to delete.' ), array( 'status' => 501 ) ); } - $user = get_userdata( $id ); - - if ( ! $user ) { - return new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) ); - } - if ( ! empty( $reassign ) ) { if ( $reassign === $id || ! get_userdata( $reassign ) ) { return new WP_Error( 'rest_user_invalid_reassign', __( 'Invalid user ID for reassignment.' ), array( 'status' => 400 ) );