Opened 3 years ago
Closed 12 months ago
#56079 closed defect (bug) (invalid)
Internal rest_do_request calls for posts/CPTs with status of anything but "published" should not need authentication
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | REST API | Keywords: | |
Focuses: | rest-api | Cc: |
Description (last modified by )
If I am performing an internal rest_do_request()
call to a local REST endpoint, I shouldn't need to provide authentication to access posts or custom post types with a status of anything other than "published".
It's an INTERNAL request, it should ALREADY be authenticated by the code running internally already.
Change History (2)
Note: See
TracTickets for help on using
tickets.
Thanks for the ticket @mkormendy.
I appreicate while this would be helpful for you. But this is simply not how the REST API has been designed. An internal request shouldn't behave differently from a global one. Changing that at this point would be a security issue. For instance, the Batch API utilizes
rest_do_request
and relies on endpoints to perform their authentication checks.