New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure permisson_callback
is present or warned in REST-API endpoints
#75
Comments
The fix is in https://core.trac.wordpress.org/changeset/48526 will you take on this? |
@bahiirwa - yep, working on a PR now. |
This issue has been mentioned on ClassicPress Forums. There might be relevant details there: https://forums.classicpress.net/t/work-towards-release-1-4-0/3305/1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected behavior
REST-API endpoints should enforce a
permission_callback
even for public endpoints. By enforcing this and reporting an error via_doing_it_wrong
when the callback is missing the security of the REST-API is improved.All endpoints must be registered with such a callback and the omission of the callback with create an error.
Current behavior
Currently, a
permission_callback
is not required and as such this can result in some endpoints unintentionally being made public. The current behaviour also does not make is an easy task when reading code to ensure that such a callback is present as a simple spelling error can be missed for examplepermissions_callback
(not the plurality of permissons)Possible solution
There is a backport option as this has been fixed upstream.
Steps to reproduce (for bugs)
permission_callback
Context
This has been seen upstream according to the original ticket and several CP contributors have discussed this in slack
The text was updated successfully, but these errors were encountered: