Skip to content
Permalink
Browse files

Bugfix to filter REST API data

Added `rest_prepare_user` filter to stop data leaking fro the `/wp-json/wp/v2/users/2` REST API endpoint.
  • Loading branch information...
emrikol committed Oct 18, 2018
1 parent a24e49e commit 4df80313a3797f35aacc9dabfdb500c319a89812
Showing with 47 additions and 4 deletions.
  1. +36 −3 inc/class-pseudonymous.php
  2. +1 −1 pseudonymous.php
  3. +10 −0 readme.txt
@@ -54,6 +54,7 @@ public function init_hooks() {
add_filter( 'query', array( $this, 'anonymize_wp_user_get_data_by' ), PHP_INT_MIN, 1 );
add_filter( 'pre_get_posts', array( $this, 'anonymize_author_permalink' ), PHP_INT_MIN, 1 );
add_filter( 'get_avatar_url', array( $this, 'anonymize_get_avatar_url' ), PHP_INT_MIN, 3 );
add_filter( 'rest_prepare_user', array( $this, 'anonymize_rest_prepare_user' ), PHP_INT_MIN, 3 );
add_filter( 'wp_title', array( $this, 'itg_anonymize_htmltitle' ) );
} else {
@@ -65,6 +66,38 @@ public function init_hooks() {
update_user_caches( $user );
}
/**
* Filters user data returned from the REST API.
*
* @param WP_REST_Response $response The response object.
* @param object $user User object used to create response.
* @param WP_REST_Request $request Request object.
*/
public function anonymize_rest_prepare_user( $response, $user, $request ) {
if ( isset( $response->data['name'] ) ) {
$pseudonymous_user_nicename = get_user_meta( $response->data['id'], 'pseudonymous_user_nicename', true );
if ( $pseudonymous_user_nicename ) {
$response->data['name'] = $pseudonymous_user_nicename;
}
}
if ( isset( $response->data['slug'] ) ) {
$pseudonymous_user_login = get_user_meta( $response->data['id'], 'pseudonymous_user_login', true );
if ( $pseudonymous_user_login ) {
$response->data['slug'] = $pseudonymous_user_login;
}
}
if ( isset( $response->data['avatar_urls'] ) ) {
$pseudonymous_user_email = get_user_meta( $response->data['id'], 'pseudonymous_user_email', true );
if ( $pseudonymous_user_email ) {
$response->data['avatar_urls'] = rest_get_avatar_urls( $pseudonymous_user_email );
}
}
return $response;
}
/**
* Filters the avatar URL.
*
@@ -117,7 +150,7 @@ public function anonymize_comment_class( $classes, $class, $comment_id, $comment
if ( isset( $comment->comment_author_email ) ) {
$user = get_user_by( 'email', $comment->comment_author_email );
if ( $user ) {
$user_login = $user->user_login;
$user_login = $user->user_login;
$pseudonymous_user_login = get_user_meta( $user->ID, 'pseudonymous_user_login', true );
if ( $pseudonymous_user_login ) {
@@ -147,7 +180,7 @@ public function anonymize_author_link( $link = '', $author_id = 0, $author_nicen
$user = WP_User::get_data_by( 'ID', $author_id );
if ( $user ) {
$user_login = $user->user_login;
$user_login = $user->user_login;
$pseudonymous_user_login = get_user_meta( $author_id, 'pseudonymous_user_login', true );
if ( $user_login && $pseudonymous_user_login ) {
@@ -445,7 +478,7 @@ public function anonymize_author_permalink( $query ) {
}
foreach ( (array) $authors as $author ) {
$author = get_userdata( $author->ID );
$author = get_userdata( $author->ID );
$pseudonymous_user_login = get_user_meta( $author->ID, 'pseudonymous_user_login', true );
if ( isset( $query->query_vars['author_name'] ) && '' !== $query->query_vars['author_name'] ) {
@@ -2,7 +2,7 @@
/**
* Plugin Name: Pseudonymous
* Description: Anonymizes user data as much as possible on the site frontend.
* Version: 1.0.0
* Version: 1.0.1
* Author: Derrick Tennant
* Author URI: https://emrikol.com/
*
@@ -5,3 +5,13 @@ Donate link: https://wordpressfoundation.org/donate/
License: GPL

Anonymizes user data as much as possible on the site frontend.

== Changelog ==

= 1.0.1 =

* Bugfix: Added `rest_prepare_user` filter to stop data leaking fro the `/wp-json/wp/v2/users/2` REST API endpoint.

= 1.0.0 =

* First Version

0 comments on commit 4df8031

Please sign in to comment.
You can’t perform that action at this time.