WordPress.org

Make WordPress Core

Opened 4 months ago

Closed 3 months ago

Last modified 3 months ago

#43266 closed enhancement (fixed)

REST API JavaScript Client: Support an empty string for nonce

Reported by: ocean90 Owned by: adamsilverstein
Milestone: 4.9.5 Priority: normal
Severity: normal Version: 4.9
Component: REST API Keywords: has-patch commit
Focuses: javascript Cc:

Description

Related to #43265, #40422.

Example:

myApi = wp.api.init( {
        versionString: 'my-api/v1/'
        nonce: ''
} );

In this case I don't want the client to include a nonce in requests at all. But because of the args.nonce || wpApiSettings.nonce || '' line it always falls back to wpApiSettings.nonce.

A use case would be a read-only endpoint on another site in a multisite.

Attachments (2)

43266.patch (1.5 KB) - added by ocean90 4 months ago.
43266.2.patch (1.5 KB) - added by ocean90 4 months ago.
Fall back to empty string if wpApiSettings.nonce isn't set.

Download all attachments as: .zip

Change History (8)

@ocean90
4 months ago

@ocean90
4 months ago

Fall back to empty string if wpApiSettings.nonce isn't set.

#1 @adamsilverstein
4 months ago

  • Milestone changed from Awaiting Review to 5.0
  • Owner set to adamsilverstein
  • Status changed from new to assigned

#2 @ocean90
3 months ago

  • Milestone changed from 5.0 to 4.9.5

Moving to 4.9.5 to follow #42948.

@adamsilverstein What's missing here?

#3 @adamsilverstein
3 months ago

@ocean90 looks good, nothing missing. I’m afk for a week, feel free to commit.

#4 @audrasjb
3 months ago

  • Keywords commit added

#5 @ocean90
3 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 42852:

REST API JavaScript Client: Support an empty string for nonce to disable sending the X-WP-Nonce header.

Passing a nonce argument with an empty string to wp.api.init() now does no longer fall back to wpApiSettings.nonce. This makes it possible to stop sending nonce headers, for example to a read-only endpoint on another site in a multisite install.

Props adamsilverstein, FPCSJames, ocean90, swissspidy.
Fixes #42948, #43266.

#6 @ocean90
3 months ago

In 42854:

REST API JavaScript Client: Support an empty string for nonce to disable sending the X-WP-Nonce header.

Passing a nonce argument with an empty string to wp.api.init() now does no longer fall back to wpApiSettings.nonce. This makes it possible to stop sending nonce headers, for example to a read-only endpoint on another site in a multisite install.

Merge of [42852] to the 4.9 branch.

Props adamsilverstein, FPCSJames, ocean90, swissspidy.
See #42948, #43266.

Note: See TracTickets for help on using tickets.