diff --git a/CHANGELOG.md b/CHANGELOG.md index e816055e1a..89948f3259 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 2.0 Beta 12.1 (May 25, 2016) + +- SECURITY: Return error when request can't context==edit for users. + ## 2.0 Beta 12.0 (February 9, 2016) - BREAKING CHANGE: Removes meta endpoints from primary plugin. diff --git a/bin/readme.txt b/bin/readme.txt index b82f37c996..fbf94481e6 100644 --- a/bin/readme.txt +++ b/bin/readme.txt @@ -3,7 +3,7 @@ Contributors: rmccue, rachelbaker, danielbachhuber, joehoyle Tags: json, rest, api, rest-api Requires at least: 4.4 Tested up to: 4.5-alpha -Stable tag: 2.0-beta12 +Stable tag: 2.0-beta12.1 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -38,6 +38,10 @@ Once you've installed and activated the plugin, [check out the documentation](ht == Changelog == += 2.0 Beta 12.1 (May 25, 2016) = + +* SECURITY: Return error when request can't context==edit for users. + = 2.0 Beta 12.0 (February 9, 2016) = * BREAKING CHANGE: Removes meta endpoints from primary plugin. diff --git a/lib/endpoints/class-wp-rest-users-controller.php b/lib/endpoints/class-wp-rest-users-controller.php index 173b566b48..c71ecf0965 100755 --- a/lib/endpoints/class-wp-rest-users-controller.php +++ b/lib/endpoints/class-wp-rest-users-controller.php @@ -18,6 +18,7 @@ public function register_routes() { register_rest_route( $this->namespace, '/' . $this->rest_base, array( array( 'methods' => WP_REST_Server::READABLE, + 'permission_callback' => array( $this, 'get_items_permissions_check' ), 'callback' => array( $this, 'get_items' ), 'args' => $this->get_collection_params(), ), @@ -75,6 +76,21 @@ public function register_routes() { )); } + /** + * Permissions check for getting all users. + * + * @param WP_REST_Request $request Full details about the request. + * @return WP_Error|boolean + */ + public function get_items_permissions_check( $request ) { + + if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) { + return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you cannot view this resource with edit context.' ), array( 'status' => rest_authorization_required_code() ) ); + } + + return true; + } + /** * Get all users * diff --git a/plugin.php b/plugin.php index daaeb756ac..94b2676d4e 100755 --- a/plugin.php +++ b/plugin.php @@ -4,7 +4,7 @@ * Description: JSON-based REST API for WordPress, originally developed as part of GSoC 2013. * Author: WP REST API Team * Author URI: http://wp-api.org - * Version: 2.0-beta12 + * Version: 2.0-beta12.1 * Plugin URI: https://github.com/WP-API/WP-API * License: GPL2+ */ diff --git a/tests/test-rest-users-controller.php b/tests/test-rest-users-controller.php index 5b917605ea..a77caff2d7 100644 --- a/tests/test-rest-users-controller.php +++ b/tests/test-rest-users-controller.php @@ -85,6 +85,38 @@ public function test_get_items() { $this->check_user_data( $userdata, $data, 'view' ); } + public function test_get_items_with_edit_context() { + wp_set_current_user( $this->user ); + + $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); + $request->set_param( 'context', 'edit' ); + $response = $this->server->dispatch( $request ); + + $this->assertEquals( 200, $response->get_status() ); + + $all_data = $response->get_data(); + $data = $all_data[0]; + $userdata = get_userdata( $data['id'] ); + $this->check_user_data( $userdata, $data, 'edit', $data['_links'] ); + } + + public function test_get_items_with_edit_context_without_permission() { + //test with a user not logged in + $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); + $request->set_param( 'context', 'edit' ); + $response = $this->server->dispatch( $request ); + + $this->assertEquals( 401, $response->get_status() ); + + //test with a user logged in but without sufficient capabilities; capability in question: 'list_users' + wp_set_current_user( $this->editor ); + $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); + $request->set_param( 'context', 'edit' ); + $response = $this->server->dispatch( $request ); + + $this->assertEquals( 403, $response->get_status() ); + } + public function test_get_items_unauthenticated_only_shows_public_users() { $request = new WP_REST_Request( 'GET', '/wp/v2/users' ); $response = $this->server->dispatch( $request );