search

jaredatch / Disable-Users

WordPress plugin that provides the ability to disable specific user accounts.
27 stars 17 forks source link

Add REST API Endpoints to Disable & Enable users #17

Open shawnhooper opened 7 years ago

shawnhooper commented 7 years ago

The PR submitted works if applied directly against master branch. If also implementing the PR I submitting for adding hooks, a little modification will be required so that the REST API calls fire the same hooks.

Decided to submit as completely independent PRs in case you wanted to implement one without the other.

jaredatch commented 7 years ago

Very nice work. Love it.

Also appreciate you keeping the PRs seperate.

jaredatch commented 7 years ago

@shawnhooper this is a side note/question, but I figured I'd add it to this issue since it's REST related. Feel free to create a seperate issue for this if you agree with below.

My thought is should put a check in place that blocks REST API request for users who are disabled? I'm not sure the practically of a blocked user being able to make a REST API request, since in theory they shouldn't be allowed to login, but I'm not the load order of things nor am I extremely familiar with the REST API inner workings.

Rough example:

<?php
/**
 * Returning an authentication error if a user who is logged in is also disabled.
 *
 * @since 1.1.0
 * @param $access
 * @return mixed
 */
function rest_api_access( $access ) {

    if ( is_user_logged_in() && $this->is_user_disabled( get_current_user_id() ) ) {

        return new WP_Error( 'rest_cannot_access', __( 'User disabled.', 'disable-users' ), array( 'status' => rest_authorization_required_code() ) );
    }   

    return $access;
}
add_filter( 'rest_authentication_errors', array( $this, 'rest_api_access' ) );

Basically, one of the complaints in the past, was that disabled users could still theoretically access the site in other ways (XMLRPC, now REST API, etc) so I'd like to do our best to address that in the future.

shawnhooper commented 7 years ago

Great point @jaredatch. Looks like your rough code was spot on too. I've integrated into my branch.

anderly commented 5 years ago

@shawnhooper,

Since this project appears to be dead, I have forked it here: https://github.com/saintsystems/disable-user-login and re-released it here: https://wordpress.org/plugins/disable-user-login/

I have already incorporated some of the changes from PRs listed here including your one for hooks on enable/disable. Feel free to submit a PR for these changes for the REST API or otherwise.