Opened 9 years ago
Closed 9 years ago
#34305 closed defect (bug) (maybelater)
Protect the `wp/v[0-9]*` namespace
Reported by: | rachelbaker | Owned by: | rmccue |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | REST API | Keywords: | dev-feedback needs-patch |
Focuses: | Cc: |
Description
Mentioned by @wonderboymusic during the weekly dev chat. Added here for continued discussion and tracking.
Initial discussion thread: https://wordpress.slack.com/archives/core/p1444853278003636
@azaozz Thoughtwp/*
should be protected instead
Change History (7)
This ticket was mentioned in Slack in #core-restapi by rachelbaker. View the logs.
9 years ago
#3
@
9 years ago
We discussed this in Slack. Our current thoughts are along the lines of: add a _builtin => true
to our routes, and disallow (via _doing_it_wrong
) registering routes under wp/v*
without the flag.
Not entirely happy with the approach though. It doesn't solve the copypasta issue (if you copy-paste wp/v2
, you'll probably copy-paste the _builtin
bit too).
#4
@
9 years ago
Utter pedantism, but probably better to use [\d]+
instead of [0-9]*
-- swapping *
to +
as I think there'd always be at least 1 digit?
This ticket was mentioned in Slack in #core-restapi by rachelbaker. View the logs.
9 years ago
#7
@
9 years ago
- Milestone 4.4 deleted
- Resolution set to maybelater
- Status changed from assigned to closed
Discussed briefly on Slack. Right now, this is more of a theoretical/academic concern than anything else; in the wild, we've not really seen people using the plugin and registering their own wp/v2/...
routes. In addition, protecting this would mean we'd need to invent a way for our own plugin to get around it.
Let's close this off for now, and we'll reinvestigate once the endpoints are in core and we can truly call them _builtin
or similar.
We can probably protect these in
register_rest_route
, and require them to be registered viaWP_REST_Server->register_route
? Alternatively, maybe you have to pass_no_really_i_know_what_i_am_doing => true
in the args.Not sure how we protect this without locking the plugin out. We could check the backtrace and see if the caller was in the API plugin? ;)