From fde4185ae4127465bdb9c57f03d126ec62762ba9 Mon Sep 17 00:00:00 2001
From: Jeremy Felt <jeremyfelt@git.wordpress.org>
Date: Fri, 2 Dec 2016 22:15:32 +0000
Subject: [PATCH] REST API: Disable `DELETE` requests for users in multisite.

In wp-admin, users are removed from individual sites rather than deleted. A user can only be deleted from the network admin.
Until support for a PUT request that removes a user's site and content associations is available, DELETE requests are disabled to avoid possible issues with lost content.

Merges [34938] onto 4.7 branch.

Props jnylen0, rachelbaker.
Fixes #38962 for 4.7.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@39439 602fd350-edb4-49c9-b593-d223f7449a82
---
 .../class-wp-rest-users-controller.php        |  5 ++
 .../tests/rest-api/rest-users-controller.php  | 76 ++++++++++++++++++-
 2 files changed, 77 insertions(+), 4 deletions(-)

diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
index c81d092efe..01542a9b6b 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
@@ -701,6 +701,11 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
 	 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
 	 */
 	public function delete_item( $request ) {
+		// We don't support delete requests in multisite.
+		if ( is_multisite() ) {
+			return new WP_Error( 'rest_cannot_delete', __( 'The user cannot be deleted.' ), array( 'status' => 501 ) );
+		}
+
 		$id       = (int) $request['id'];
 		$reassign = false === $request['reassign'] ? null : absint( $request['reassign'] );
 		$force    = isset( $request['force'] ) ? (bool) $request['force'] : false;
diff --git a/tests/phpunit/tests/rest-api/rest-users-controller.php b/tests/phpunit/tests/rest-api/rest-users-controller.php
index 5911bad14d..55988a768f 100644
--- a/tests/phpunit/tests/rest-api/rest-users-controller.php
+++ b/tests/phpunit/tests/rest-api/rest-users-controller.php
@@ -1643,6 +1643,12 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 		$request->set_param( 'reassign', false );
 		$response = $this->server->dispatch( $request );
 
+		// Not implemented in multisite.
+		if ( is_multisite() ) {
+			$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
+			return;
+		}
+
 		$this->assertEquals( 200, $response->get_status() );
 		$data = $response->get_data();
 		$this->assertTrue( $data['deleted'] );
@@ -1660,6 +1666,13 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 		$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
 		$request->set_param( 'reassign', false );
 		$response = $this->server->dispatch( $request );
+
+		// Not implemented in multisite.
+		if ( is_multisite() ) {
+			$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
+			return;
+		}
+
 		$this->assertErrorResponse( 'rest_trash_not_supported', $response, 501 );
 
 		$request->set_param( 'force', 'false' );
@@ -1683,6 +1696,12 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 		$request->set_param( 'reassign', false );
 		$response = $this->server->dispatch( $request );
 
+		// Not implemented in multisite.
+		if ( is_multisite() ) {
+			$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
+			return;
+		}
+
 		$this->assertEquals( 200, $response->get_status() );
 		$data = $response->get_data();
 		$this->assertTrue( $data['deleted'] );
@@ -1699,6 +1718,13 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 		$request = new WP_REST_Request( 'DELETE', '/wp/v2/users/me' );
 		$request->set_param( 'reassign', false );
 		$response = $this->server->dispatch( $request );
+
+		// Not implemented in multisite.
+		if ( is_multisite() ) {
+			$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
+			return;
+		}
+
 		$this->assertErrorResponse( 'rest_trash_not_supported', $response, 501 );
 
 		$request->set_param( 'force', 'false' );
@@ -1740,6 +1766,12 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 		$request->set_param( 'reassign', false );
 		$response = $this->server->dispatch( $request );
 
+		// Not implemented in multisite.
+		if ( is_multisite() ) {
+			$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
+			return;
+		}
+
 		$this->assertErrorResponse( 'rest_user_invalid_id', $response, 404 );
 	}
 
@@ -1764,6 +1796,12 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 		$request->set_param( 'reassign', $reassign_id );
 		$response = $this->server->dispatch( $request );
 
+		// Not implemented in multisite.
+		if ( is_multisite() ) {
+			$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
+			return;
+		}
+
 		$this->assertEquals( 200, $response->get_status() );
 
 		// Check that the post has been updated correctly
@@ -1782,6 +1820,12 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 		$request->set_param( 'reassign', 100 );
 		$response = $this->server->dispatch( $request );
 
+		// Not implemented in multisite.
+		if ( is_multisite() ) {
+			$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
+			return;
+		}
+
 		$this->assertErrorResponse( 'rest_user_invalid_reassign', $response, 400 );
 	}
 
@@ -1812,7 +1856,13 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 		$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
 		$request['force'] = true;
 		$request->set_param( 'reassign', false );
-		$this->server->dispatch( $request );
+		$response = $this->server->dispatch( $request );
+
+		// Not implemented in multisite.
+		if ( is_multisite() ) {
+			$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
+			return;
+		}
 
 		$test_post = get_post( $test_post );
 		$this->assertEquals( 'trash', $test_post->post_status );
@@ -1831,7 +1881,13 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 		$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
 		$request['force'] = true;
 		$request->set_param( 'reassign', 'false' );
-		$this->server->dispatch( $request );
+		$response = $this->server->dispatch( $request );
+
+		// Not implemented in multisite.
+		if ( is_multisite() ) {
+			$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
+			return;
+		}
 
 		$test_post = get_post( $test_post );
 		$this->assertEquals( 'trash', $test_post->post_status );
@@ -1850,7 +1906,13 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 		$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
 		$request['force'] = true;
 		$request->set_param( 'reassign', '' );
-		$this->server->dispatch( $request );
+		$response = $this->server->dispatch( $request );
+
+		// Not implemented in multisite.
+		if ( is_multisite() ) {
+			$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
+			return;
+		}
 
 		$test_post = get_post( $test_post );
 		$this->assertEquals( 'trash', $test_post->post_status );
@@ -1869,7 +1931,13 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 		$request = new WP_REST_Request( 'DELETE', sprintf( '/wp/v2/users/%d', $user_id ) );
 		$request['force'] = true;
 		$request->set_param( 'reassign', 0 );
-		$this->server->dispatch( $request );
+		$response = $this->server->dispatch( $request );
+
+		// Not implemented in multisite.
+		if ( is_multisite() ) {
+			$this->assertErrorResponse( 'rest_cannot_delete', $response, 501 );
+			return;
+		}
 
 		$test_post = get_post( $test_post );
 		$this->assertEquals( 0, $test_post->post_author );