Udate User Custom Field - Permissions

[criptoraily]

Trying to update a user custom field. Authentication via JWT that is working because I'm able to update regular fields.

This my Json:`

curl -X POST \
  https://myite.com/wp-json/acf/v3/users/8 \
  -H "Content-Type: application/json" 
  -H 'Authorization: Bearer xxx.ffff.yyyy' \
  -d '{
    "fields": {
        "id_facebook": "gold"
    }
}

Those are my filters: // Enable the option show in rest

add_filter( 'acf/rest_api/field_settings/show_in_rest', '__return_true' );

// Enable the option edit in rest
add_filter( 'acf/rest_api/field_settings/edit_in_rest', '__return_true' );

add_filter( 'acf/rest_api/item_permissions/get', function( $permission ) {
    return current_user_can( 'edit_posts' );
} );

add_filter( 'acf/rest_api/item_permissions/update', function( $permission, $request, $type ) {
    return true;
}, 10, 3 );

Getting:

{
    "code": "cant_update_item",
    "message": "Cannot update item",
    "data": {
        "status": 500
    }
}

[splitpierre]

I'm currently working on updating custom post type ACF fields, with granular permissions, and having problems with rest_forbidden 403 error code.

Here's My Situation:

• I have a custom post type called "myct" created using CPT UI, it's capability type is also called "myct" and it has ACF fields
• Only users with the Role "myrole" can create/edit the post type (tested using WP dashboard).
• The API is using JWT as well for auth

Expected Behavior I was expecting editing capabilities while updating fields to match what we have using wp backend.

Actual Behavior

• If the user does NOT have the edit_post capability, he can't update a field (/acf/v3/myct/:id), resulting in a rest_forbidden error;
• If the user HAVE edit_post capability, he CAN update the field
• If the user have edit_post, but does NOT have edit_others_posts, meaning, he can edit only his own posts, using the API he can edit anyone's post fields

Conclusion I've been playing with role/caps/rest for a while on a granular level, but I still can't accept the fact that capabilities are not tight via WP REST, this in my honest opinion, and this might be a security issue, if bob gives alice a role the edit_post cap, and alice being able to edit anyone's post fields, even though she doesn't have the edit_others_posts cap, can cause damage.

I will be looking into this closely in the following days, any feedback is appreciated. Will keep you posted ;)

Muito Obrigado e parabéns pelo trampo no plugin \o/