Hi @hozayrayz, thanks for your question.
I’m not sure which user management plugin you’re using, but I suspect it could be caused by the “Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps” option in Wordfence > All Options > Additional Options. Don’t forget to save changes when you uncheck this option.
Let us know if that makes a difference, and if not a few more details about the API endpoint and plugin you’re using to change user roles may help.
Thanks,
Peter.
Good morning and thank you for the reply,
That solution was my very last resort as I did not want to expose that endpoint and have to manually filter it based on users and user roles.
Instead, I was able to find the solution. I noticed that users with the Shop Managers and Administrators role were able to call the wp/v2/users endpoint. Meaning that there might be a specific capability (ies) that allows for that to happen.
Turns out that one of the capabilities to add in a custom role for access to the endpoint was edit_other_posts. Adding this to my custom role (among others) now allows me to access the endpoint.
Thank you!
