Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Udate User Custom Field - Permissions #385

Open
criptoraily opened this issue Jul 17, 2021 · 1 comment
Open

Udate User Custom Field - Permissions #385

criptoraily opened this issue Jul 17, 2021 · 1 comment

Comments

@criptoraily
Copy link

criptoraily commented Jul 17, 2021
edited by airesvsg
Loading

Trying to update a user custom field.
Authentication via JWT that is working because I'm able to update regular fields.

This my Json:`

curl -X POST \
  https://myite.com/wp-json/acf/v3/users/8 \
  -H "Content-Type: application/json" 
  -H 'Authorization: Bearer xxx.ffff.yyyy' \
  -d '{
	"fields": {
	    "id_facebook": "gold"
	}
}

Those are my filters:
// Enable the option show in rest

add_filter( 'acf/rest_api/field_settings/show_in_rest', '__return_true' );

// Enable the option edit in rest
add_filter( 'acf/rest_api/field_settings/edit_in_rest', '__return_true' );

add_filter( 'acf/rest_api/item_permissions/get', function( $permission ) {
	return current_user_can( 'edit_posts' );
} );

add_filter( 'acf/rest_api/item_permissions/update', function( $permission, $request, $type ) {
	return true;
}, 10, 3 );

Getting:

{
    "code": "cant_update_item",
    "message": "Cannot update item",
    "data": {
        "status": 500
    }
}
@splitpierre
Copy link

I'm currently working on updating custom post type ACF fields, with granular permissions, and having problems with rest_forbidden 403 error code.

Here's My Situation:

  • I have a custom post type called "myct" created using CPT UI, it's capability type is also called "myct" and it has ACF fields
  • Only users with the Role "myrole" can create/edit the post type (tested using WP dashboard).
  • The API is using JWT as well for auth

Expected Behavior
I was expecting editing capabilities while updating fields to match what we have using wp backend.

Actual Behavior

  • If the user does NOT have the edit_post capability, he can't update a field (/acf/v3/myct/:id), resulting in a rest_forbidden error;
  • If the user HAVE edit_post capability, he CAN update the field
  • If the user have edit_post, but does NOT have edit_others_posts, meaning, he can edit only his own posts, using the API he can edit anyone's post fields

Conclusion
I've been playing with role/caps/rest for a while on a granular level, but I still can't accept the fact that capabilities are not tight via WP REST, this in my honest opinion, and this might be a security issue, if bob gives alice a role the edit_post cap, and alice being able to edit anyone's post fields, even though she doesn't have the edit_others_posts cap, can cause damage.

I will be looking into this closely in the following days, any feedback is appreciated.
Will keep you posted ;)

Muito Obrigado e parabéns pelo trampo no plugin \o/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@splitpierre @criptoraily