Fix application password revocation on multisite for non-members

Core's REST API application passwords controller checks
is_user_member_of_blog() and rejects non-members with a 404. On
WordPress.org, most users aren't members of every blog (e.g.,
profiles.wordpress.org), so operations like revoke fail.

Filter `get_user_metadata` during application password REST requests to
return a minimal capabilities array for the current user, making
is_user_member_of_blog() return true.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: obenland

settings/rest-api.php

@@ -10,6 +10,7 @@
 
 add_action( 'rest_api_init', __NAMESPACE__ . '\register_rest_routes' );
 add_action( 'rest_api_init', __NAMESPACE__ . '\register_user_fields' );
+add_filter( 'rest_pre_dispatch', __NAMESPACE__ . '\allow_application_password_management', 10, 3 );
 add_filter( 'rest_pre_insert_user', __NAMESPACE__ . '\require_email_confirmation', 10, 2 );
 add_filter( 'bp_before_profile_edit_content', __NAMESPACE__ . '\process_email_change_confirmation' );
 add_filter( 'admin_page_access_denied', __NAMESPACE__ . '\redirect_wpadmin_profile' );
@@ -466,6 +467,69 @@ function register_user_fields(): void {
 	);
 }
 
+/**
+ * Allow users to manage their own application passwords on multisite, even if
+ * they are not a member of the current blog.
+ *
+ * Core's WP_REST_Application_Passwords_Controller::get_user() checks
+ * is_user_member_of_blog() and returns a 404 for non-members. On WordPress.org,
+ * most users aren't members of every blog (e.g., profiles.wordpress.org), so
+ * application password operations like revoke fail.
+ *
+ * This works by filtering `get_user_metadata` to return a minimal capabilities
+ * array for the current user's blog capabilities key, which makes
+ * is_user_member_of_blog() return true.
+ *
+ * @param mixed            $result  Response to replace the requested version with. Can be anything
+ *                                  a normal endpoint can return, or null to not hijack the request.
+ * @param \WP_REST_Server  $server  Server instance.
+ * @param \WP_REST_Request $request Request used to generate the response.
+ * @return mixed Unmodified $result.
+ */
+function allow_application_password_management( $result, $server, $request ) {
+	if ( ! is_multisite() ) {
+		return $result;
+	}
+
+	if ( ! preg_match( '#^/wp/v2/users/\d+/application-passwords#', $request->get_route() ) ) {
+		return $result;
+	}
+
+	$current_user_id = get_current_user_id();
+	if ( ! $current_user_id ) {
+		return $result;
+	}
+
+	add_filter(
+		'get_user_metadata',
+		function ( $check, $user_id, $meta_key ) use ( $current_user_id ) {
+			global $wpdb;
+
+			if ( $user_id !== $current_user_id ) {
+				return $check;
+			}
+
+			$blog_id          = get_current_blog_id();
+			$capabilities_key = $wpdb->base_prefix;
+			if ( 1 !== $blog_id ) {
+				$capabilities_key .= $blog_id . '_';
+			}
+			$capabilities_key .= 'capabilities';
+
+			if ( $meta_key !== $capabilities_key ) {
+				return $check;
+			}
+
+			// Return a nested array: get_metadata() unwraps one level when $single is true.
+			return array( array( 'subscriber' => true ) );
+		},
+		10,
+		3
+	);
+
+	return $result;
+}
+
 /**
  * Implement the "Require email confirmation" functionality for the REST API.
  *

tests/settings/test-application-passwords.php

@@ -155,6 +155,59 @@ public function test_application_passwords_field_not_in_view_context() : void {
 		$this->assertArrayNotHasKey( 'application_passwords', $actual );
 	}
 
+	/**
+	 * Verify that a user who is not a member of the current blog can still
+	 * revoke their own application password via the REST API.
+	 *
+	 * @covers WordPressdotorg\Two_Factor\allow_application_password_management
+	 */
+	public function test_non_member_can_revoke_application_password() : void {
+		wp_set_current_user( self::$regular_user->ID, self::$regular_user->user_login );
+
+		list( , $item ) = WP_Application_Passwords::create_new_application_password(
+			self::$regular_user->ID,
+			array( 'name' => 'Revoke Test' )
+		);
+
+		// Remove the user from the current blog to simulate profiles.wordpress.org.
+		$remove_user_callback = function ( $check, $user_id, $meta_key ) {
+			global $wpdb;
+
+			if ( $user_id !== self::$regular_user->ID ) {
+				return $check;
+			}
+
+			$blog_id          = get_current_blog_id();
+			$capabilities_key = $wpdb->base_prefix;
+			if ( 1 !== $blog_id ) {
+				$capabilities_key .= $blog_id . '_';
+			}
+			$capabilities_key .= 'capabilities';
+
+			if ( $meta_key !== $capabilities_key ) {
+				return $check;
+			}
+
+			// Return false wrapped in an array: get_metadata() unwraps one level,
+			// yielding false, which fails is_array() in is_user_member_of_blog().
+			return array( false );
+		};
+
+		add_filter( 'get_user_metadata', $remove_user_callback, 9, 3 );
+
+		$this->assertFalse(
+			is_user_member_of_blog( self::$regular_user->ID ),
+			'Precondition: user should not be a member of the blog.'
+		);
+
+		$request  = new WP_REST_Request( 'DELETE', '/wp/v2/users/' . self::$regular_user->ID . '/application-passwords/' . $item['uuid'] );
+		$response = rest_do_request( $request );
+
+		remove_filter( 'get_user_metadata', $remove_user_callback, 9 );
+
+		$this->assertSame( 200, $response->get_status(), 'Non-member should be able to revoke their own application password.' );
+	}
+
 	/**
 	 * @covers WordPressdotorg\Two_Factor\register_user_fields
 	 */