wp/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php
--- a/wp/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php Thu Sep 29 08:06:27 2022 +0200
+++ b/wp/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php Fri Sep 05 18:40:08 2025 +0200
@@ -610,6 +610,8 @@
return $user;
}
+ $fields = $this->get_fields_for_response( $request );
+
$prepared = array(
'uuid' => $item['uuid'],
'app_id' => empty( $item['app_id'] ) ? '' : $item['app_id'],
@@ -627,7 +629,10 @@
$prepared = $this->filter_response_by_context( $prepared, $request['context'] );
$response = new WP_REST_Response( $prepared );
- $response->add_links( $this->prepare_links( $user, $item ) );
+
+ if ( rest_is_field_included( '_links', $fields ) || rest_is_field_included( '_embedded', $fields ) ) {
+ $response->add_links( $this->prepare_links( $user, $item ) );
+ }
/**
* Filters the REST API response for an application password.
@@ -653,7 +658,14 @@
protected function prepare_links( WP_User $user, $item ) {
return array(
'self' => array(
- 'href' => rest_url( sprintf( '%s/users/%d/application-passwords/%s', $this->namespace, $user->ID, $item['uuid'] ) ),
+ 'href' => rest_url(
+ sprintf(
+ '%s/users/%d/application-passwords/%s',
+ $this->namespace,
+ $user->ID,
+ $item['uuid']
+ )
+ ),
),
);
}
@@ -707,7 +719,7 @@
return $error;
}
- if ( is_multisite() && ! is_user_member_of_blog( $user->ID ) ) {
+ if ( is_multisite() && ! user_can( $user->ID, 'manage_sites' ) && ! is_user_member_of_blog( $user->ID ) ) {
return $error;
}