Fix sensitive data exposure vulnerability in /pm/v2/users API endpoints

[arifulhoque7]

Security: Fix broken access control in User API endpoints (IDOR)
Close 276
The /wp-json/pm/v2/users endpoints were accessible to any authenticated
user (including subscribers), exposing sensitive user data such as emails,
usernames, and external account identifiers (GitHub/Bitbucket).

Changes:

• Added List_Users permission class requiring list_users capability or PM manager role
• Added Create_Users permission class requiring create_users capability
• Updated routes/user.php to use proper capability-based permissions

Affected endpoints:

• GET /pm/v2/users
• GET /pm/v2/users/{id}
• GET /pm/v2/users/search
• GET /pm/v2/user-all-projects
• POST /pm/v2/users

Severity: Medium (CVSS 6.5)

Summary by CodeRabbit

• New Features

  • Added granular permission controls for user management operations, enabling administrators to separately control who can create users and who can list/view users.
  • Introduced a new endpoint for retrieving all user projects with proper access restrictions.

• Improvements

  • Refactored user-related access controls to enforce specific user management capabilities instead of generic authentication checks.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Introduces two new permission classes (Create_Users and List_Users) for granular access control in user-related operations. Updates routes to enforce Create_Users permission for user creation and List_Users permission for user listing, search, and project viewing endpoints, replacing generic Authentic permission.

Changes

Cohort / File(s)	Summary
Permission Classes core/Permissions/Create_Users.php, core/Permissions/List_Users.php	Two new permission classes added. Create_Users checks for logged-in users and the create_users capability (returns 401/403 WP_Error). List_Users checks for logged-in users, list_users capability, or PM manager capability (returns 401/403 WP_Error on failure).
Routes routes/user.php	Updated GET users, users/{id}, users/search routes from Authentic to List_Users permission. Added GET user-all-projects route with List_Users permission. Replaced POST users route from Authentic to Create_Users permission.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

Needs Dev Review, Needs Testing

Suggested reviewers

• iftakharul-islam

Poem

🐰 Two new sentries stand at the gate,
Guarding users, their destiny to create.
With Create and List, permissions align,
Granular access controls, oh so fine!
Routes renewed, security refined divine! 🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective: fixing a sensitive data exposure vulnerability in the /pm/v2/users API endpoints by introducing capability-based access controls.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

routes/user.php (1)

24-26: Consider adding route-level permission for consistency.

The comment indicates the controller checks manage_options, but relying solely on controller-level authorization is less robust. For consistency with the other routes in this file, consider creating a dedicated permission class or using an existing one that enforces manage_options at the route level.

Defense-in-depth: route-level permissions are checked before the controller is even instantiated, providing an earlier security gate.

-// User meta update - already checks manage_options in controller
-$wedevs_pm_router->post( 'save_users_map_name', 'WeDevs/PM/User/Controllers/User_Controller@save_users_map_name' )
-    ->permission(['WeDevs\PM\Core\Permissions\Authentic']);
+// User meta update - require manage_options capability
+$wedevs_pm_router->post( 'save_users_map_name', 'WeDevs/PM/User/Controllers/User_Controller@save_users_map_name' )
+    ->permission(['WeDevs\PM\Core\Permissions\Manage_Options']); // Or create this class

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7dd0ef9 and d21a60b.

📒 Files selected for processing (3)

• core/Permissions/Create_Users.php
• core/Permissions/List_Users.php
• routes/user.php

🧰 Additional context used

🧬 Code graph analysis (1)

core/Permissions/Create_Users.php (3)

core/Permissions/Abstract_Permission.php (1)

• Abstract_Permission (8-32)

core/Permissions/List_Users.php (1)

• check (13-39)

views/assets/src/helpers/i18n/i18n.js (1)

• __ (45-47)

🔇 Additional comments (4)

core/Permissions/Create_Users.php (1)

13-34: Permission logic is correct and appropriately restrictive.

The implementation correctly enforces that only users with the create_users capability (typically administrators) can create users. The asymmetry with List_Users (which also allows PM managers) appears intentional—user creation is a more privileged operation than listing.

The 401/403 distinction for unauthenticated vs. unauthorized access follows REST API best practices.

Please confirm this asymmetry is intentional: PM managers can list users but cannot create them. If PM managers should also be able to create users, add the wedevs_pm_user_can_access() check as done in List_Users.php.

core/Permissions/List_Users.php (1)

13-39: Well-structured permission check with appropriate dual-path authorization.

The implementation correctly provides two authorization paths:

1. WordPress core list_users capability (typically admins)
2. PM-specific manager capability via wedevs_pm_user_can_access()

This ensures both WordPress administrators and PM managers can access user listing endpoints while blocking lower-privileged users like subscribers—directly addressing the IDOR vulnerability.

routes/user.php (2)

7-15: Security fix correctly applied to all user listing endpoints.

All GET endpoints for user data are now properly protected with List_Users permission, closing the IDOR vulnerability.

One consideration: GET users/{id} now requires list_users capability. Verify whether users should be able to view their own profile data. If self-access is a valid use case, the List_Users permission class may need an additional check:

// Allow users to view their own data
if ( $this->request->get_param('id') == $user_id ) {
    return true;
}

---

17-19: User creation endpoint properly secured.

The POST users endpoint is now protected with Create_Users permission, preventing unauthorized user creation.

[iftakharul-islam]

All everything looks good.
Thanks Ariful @arifulhoque7