Make WordPress Core

Opened 3 years ago

Closed 12 months ago

#56079 closed defect (bug) (invalid)

Internal rest_do_request calls for posts/CPTs with status of anything but "published" should not need authentication

Reported by: mkormendy's profile mkormendy Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: REST API Keywords:
Focuses: rest-api Cc:

Description (last modified by sabernhardt)

If I am performing an internal rest_do_request() call to a local REST endpoint, I shouldn't need to provide authentication to access posts or custom post types with a status of anything other than "published".

It's an INTERNAL request, it should ALREADY be authenticated by the code running internally already.

Change History (2)

#1 @sabernhardt
19 months ago

  • Component changed from General to REST API
  • Description modified (diff)

#2 @TimothyBlynJacobs
12 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Thanks for the ticket @mkormendy.

I appreicate while this would be helpful for you. But this is simply not how the REST API has been designed. An internal request shouldn't behave differently from a global one. Changing that at this point would be a security issue. For instance, the Batch API utilizes rest_do_request and relies on endpoints to perform their authentication checks.

Note: See TracTickets for help on using tickets.