Ensure permisson_callback is present or warned in REST-API endpoints

[mattyrob]

Expected behavior

REST-API endpoints should enforce a permission_callback even for public endpoints. By enforcing this and reporting an error via _doing_it_wrong when the callback is missing the security of the REST-API is improved.

All endpoints must be registered with such a callback and the omission of the callback with create an error.

Current behavior

Currently, a permission_callback is not required and as such this can result in some endpoints unintentionally being made public. The current behaviour also does not make is an easy task when reading code to ensure that such a callback is present as a simple spelling error can be missed for example permissions_callback (not the plurality of permissons)

Possible solution

There is a backport option as this has been fixed upstream.

Steps to reproduce (for bugs)

1. Register a REST-API Endpoint without a permission_callback
2. Note who it is publicly available

Context

This has been seen upstream according to the original ticket and several CP contributors have discussed this in slack

[bahiirwa]

The fix is in

https://core.trac.wordpress.org/changeset/48526
https://core.trac.wordpress.org/changeset/48571,

will you take on this?

[mattyrob]

@bahiirwa - yep, working on a PR now.

[bahiirwa]

@mattyrob @striebwj Punting this to 1.4.0 considering the 1.3.0 roadmap right now.

[ClassyBot]

This issue has been mentioned on ClassicPress Forums. There might be relevant details there:

https://forums.classicpress.net/t/work-towards-release-1-4-0/3305/1