Make WordPress Core


Ignore:
Timestamp:
07/21/2020 12:01:10 PM (19 months ago)
Author:
TimothyBlynJacobs
Message:

REST API: Issue a _doing_it_wrong when registering a route without a permission callback.

The REST API treats routes without a permission_callback as public. Because this happens without any warning to the user, if the permission callback is unintentionally omitted or misspelled, the endpoint can end up being available to the public. Such a scenario has happened multiple times in the wild, and the results can be catostrophic when it occurs.

For REST API routes that are intended to be public, it is recommended to set the permission callback to the __return_true built in function.

Fixes #50075.
Props rmccue, sorenbronsted, whyisjake, SergeyBiryukov, TimothyBlynJacobs.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api.php

    r48367 r48526  
    8989        $arg_group         = array_merge( $defaults, $arg_group );
    9090        $arg_group['args'] = array_merge( $common_args, $arg_group['args'] );
     91
     92        if ( ! isset( $arg_group['permission_callback'] ) ) {
     93            _doing_it_wrong(
     94                __FUNCTION__,
     95                sprintf(
     96                    /* translators: 1. The REST API route being registered. 2. The argument name. 3. The suggested function name. */
     97                    __( 'The REST API route definition for %1$s is missing the required %2$s argument. For REST API routes that are intended to be public, use %3$s as the permission callback.', 'LION' ),
     98                    '<code>' . $clean_namespace . '/' . trim( $route, '/' ) . '</code>',
     99                    '<code>permission_callback</code>',
     100                    '<code>__return_true</code>'
     101                ),
     102                '5.5.0'
     103            );
     104        }
    91105    }
    92106
Note: See TracChangeset for help on using the changeset viewer.