Disable-Users icon indicating copy to clipboard operation
Disable-Users copied to clipboard

Published 20 hours ago verified publisher icon jaredatch

Add REST API Endpoints to Disable & Enable users

Open shawnhooper opened this issue 8 years ago • 5 comments

shawnhooper avatar Feb 23 '17 17:02 shawnhooper

The PR submitted works if applied directly against master branch. If also implementing the PR I submitting for adding hooks, a little modification will be required so that the REST API calls fire the same hooks.

Decided to submit as completely independent PRs in case you wanted to implement one without the other.

shawnhooper avatar Feb 23 '17 18:02 shawnhooper

Very nice work. Love it.

Also appreciate you keeping the PRs seperate.

jaredatch avatar Feb 23 '17 21:02 jaredatch

@shawnhooper this is a side note/question, but I figured I'd add it to this issue since it's REST related. Feel free to create a seperate issue for this if you agree with below.

My thought is should put a check in place that blocks REST API request for users who are disabled? I'm not sure the practically of a blocked user being able to make a REST API request, since in theory they shouldn't be allowed to login, but I'm not the load order of things nor am I extremely familiar with the REST API inner workings.

Rough example:

<?php
/**
 * Returning an authentication error if a user who is logged in is also disabled.
 *
 * @since 1.1.0
 * @param $access
 * @return mixed
 */
function rest_api_access( $access ) {
	
	if ( is_user_logged_in() && $this->is_user_disabled( get_current_user_id() ) ) {

		return new WP_Error( 'rest_cannot_access', __( 'User disabled.', 'disable-users' ), array( 'status' => rest_authorization_required_code() ) );
	}	

	return $access;
}
add_filter( 'rest_authentication_errors', array( $this, 'rest_api_access' ) );

Basically, one of the complaints in the past, was that disabled users could still theoretically access the site in other ways (XMLRPC, now REST API, etc) so I'd like to do our best to address that in the future.

jaredatch avatar Feb 23 '17 21:02 jaredatch

Great point @jaredatch. Looks like your rough code was spot on too. I've integrated into my branch.

shawnhooper avatar Feb 23 '17 22:02 shawnhooper

@shawnhooper,

Since this project appears to be dead, I have forked it here: https://github.com/saintsystems/disable-user-login and re-released it here: https://wordpress.org/plugins/disable-user-login/

I have already incorporated some of the changes from PRs listed here including your one for hooks on enable/disable. Feel free to submit a PR for these changes for the REST API or otherwise.

anderly avatar Aug 14 '19 22:08 anderly