REST API: Disable `DELETE` requests for users in multisite.

In wp-admin, users are removed from individual sites rather than deleted. A user can only be deleted from the network admin.

Until support for a `PUT` request that removes a user's site and content associations is available, `DELETE` requests are disabled to avoid possible issues with lost content.

Props jnylen0, rachelbaker.
Fixes #38962.


git-svn-id: https://develop.svn.wordpress.org/trunk@39438 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Jeremy Felt 2016-12-02 22:10:01 +00:00
parent a55506974e
commit 9232ecc9fc
2 changed files with 77 additions and 4 deletions

View File

@ -701,6 +701,11 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
* @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
*/
public function delete_item( $request ) {
// We don't support delete requests in multisite.
if ( is_multisite() ) {
return new WP_Error( 'rest_cannot_delete', __( 'The user cannot be deleted.' ), array( 'status' => 501 ) );
}
$id = (int) $request['id'];
$reassign = false === $request['reassign'] ? null : absint( $request['reassign'] );
$force = isset( $request['force'] ) ? (bool) $request['force'] : false;

View File

@ -1643,6 +1643,12 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$request->set_param( 'reassign', false );
$response = $this->server->dispatch( $request );
// Not implemented in multisite.
if ( is_multisite() ) {
$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
return;
}
$this->assertEquals( 200, $response->get_status() );
$data = $response->get_data();
$this->assertTrue( $data['deleted'] );
@ -1660,6 +1666,13 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
$request->set_param( 'reassign', false );
$response = $this->server->dispatch( $request );
// Not implemented in multisite.
if ( is_multisite() ) {
$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
return;
}
$this->assertErrorResponse( 'rest_trash_not_supported', $response, 501 );
$request->set_param( 'force', 'false' );
@ -1683,6 +1696,12 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$request->set_param( 'reassign', false );
$response = $this->server->dispatch( $request );
// Not implemented in multisite.
if ( is_multisite() ) {
$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
return;
}
$this->assertEquals( 200, $response->get_status() );
$data = $response->get_data();
$this->assertTrue( $data['deleted'] );
@ -1699,6 +1718,13 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$request = new WP_REST_Request( 'DELETE', '/wp/v2/users/me' );
$request->set_param( 'reassign', false );
$response = $this->server->dispatch( $request );
// Not implemented in multisite.
if ( is_multisite() ) {
$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
return;
}
$this->assertErrorResponse( 'rest_trash_not_supported', $response, 501 );
$request->set_param( 'force', 'false' );
@ -1740,6 +1766,12 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$request->set_param( 'reassign', false );
$response = $this->server->dispatch( $request );
// Not implemented in multisite.
if ( is_multisite() ) {
$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
return;
}
$this->assertErrorResponse( 'rest_user_invalid_id', $response, 404 );
}
@ -1764,6 +1796,12 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$request->set_param( 'reassign', $reassign_id );
$response = $this->server->dispatch( $request );
// Not implemented in multisite.
if ( is_multisite() ) {
$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
return;
}
$this->assertEquals( 200, $response->get_status() );
// Check that the post has been updated correctly
@ -1782,6 +1820,12 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$request->set_param( 'reassign', 100 );
$response = $this->server->dispatch( $request );
// Not implemented in multisite.
if ( is_multisite() ) {
$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
return;
}
$this->assertErrorResponse( 'rest_user_invalid_reassign', $response, 400 );
}
@ -1812,7 +1856,13 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
$request['force'] = true;
$request->set_param( 'reassign', false );
$this->server->dispatch( $request );
$response = $this->server->dispatch( $request );
// Not implemented in multisite.
if ( is_multisite() ) {
$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
return;
}
$test_post = get_post( $test_post );
$this->assertEquals( 'trash', $test_post->post_status );
@ -1831,7 +1881,13 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
$request['force'] = true;
$request->set_param( 'reassign', 'false' );
$this->server->dispatch( $request );
$response = $this->server->dispatch( $request );
// Not implemented in multisite.
if ( is_multisite() ) {
$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
return;
}
$test_post = get_post( $test_post );
$this->assertEquals( 'trash', $test_post->post_status );
@ -1850,7 +1906,13 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
$request['force'] = true;
$request->set_param( 'reassign', '' );
$this->server->dispatch( $request );
$response = $this->server->dispatch( $request );
// Not implemented in multisite.
if ( is_multisite() ) {
$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
return;
}
$test_post = get_post( $test_post );
$this->assertEquals( 'trash', $test_post->post_status );
@ -1869,7 +1931,13 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
$request['force'] = true;
$request->set_param( 'reassign', 0 );
$this->server->dispatch( $request );
$response = $this->server->dispatch( $request );
// Not implemented in multisite.
if ( is_multisite() ) {
$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
return;
}
$test_post = get_post( $test_post );
$this->assertEquals( 0, $test_post->post_author );