Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2024-09-15 09:08:22 +02:00
Code Issues Projects Releases Wiki Activity
32f791da49
WordPress/wp-includes/rest-api/endpoints
History
TimothyBlynJacobs b8d5e161eb REST API: Issue a _doing_it_wrong when registering a route without a permission callback. 
The REST API treats routes without a permission_callback as public. Because this happens without any warning to the user, if the permission callback is unintentionally omitted or misspelled, the endpoint can end up being available to the public. Such a scenario has happened multiple times in the wild, and the results can be catostrophic when it occurs.

For REST API routes that are intended to be public, it is recommended to set the permission callback to the `__return_true` built in function.

Fixes #50075.
Props rmccue, sorenbronsted, whyisjake, SergeyBiryukov, TimothyBlynJacobs.

Built from https://develop.svn.wordpress.org/trunk@48526


git-svn-id: http://core.svn.wordpress.org/trunk@48288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-21 12:03:05 +00:00
..
class-wp-rest-attachments-controller.php REST API, Media: Add X-WP-Upload-Attachment-ID HTTP header to enable retrying of post-processing of edited images if the server runs out of resources. This is the same as after uploading a new image, will do up to five additional requests to let the server create all image sub-sizes. 2020-07-21 03:00:04 +00:00
class-wp-rest-autosaves-controller.php Docs: Remove an empty line between @param and @return tags, per the documentation standards. 2020-06-20 11:18:09 +00:00
class-wp-rest-block-directory-controller.php REST API: Introduce plugin management and block directory endpoints. 2020-07-01 04:24:03 +00:00
class-wp-rest-block-renderer-controller.php REST API: Sanitize block renderer attributes. 2020-07-11 20:34:05 +00:00
class-wp-rest-block-types-controller.php REST API: Introduce Block Types endpoint. 2020-06-26 00:46:07 +00:00
class-wp-rest-blocks-controller.php Role/Capability: Use meta caps edit_post, read_post, and delete_post directly. 2020-05-23 15:24:07 +00:00
class-wp-rest-comments-controller.php Comments: Make wp_update_comment() return a WP_Error object for a canceled update, if $wp_error parameter is true. 2020-06-29 23:42:03 +00:00
class-wp-rest-controller.php REST API: Support the (min|max)Items JSON Schema keywords. 2020-06-07 22:42:13 +00:00
class-wp-rest-plugins-controller.php REST API: Introduce plugin management and block directory endpoints. 2020-07-01 04:24:03 +00:00
class-wp-rest-post-statuses-controller.php Docs: Improve inline comments per the documentation standards. 2020-01-29 00:45:18 +00:00
class-wp-rest-post-types-controller.php REST API: Issue a _doing_it_wrong when registering a route without a permission callback. 2020-07-21 12:03:05 +00:00
class-wp-rest-posts-controller.php Docs: Capitalize "ID", when referring to a post ID, term ID, etc. in a more consistent way. 2020-06-20 12:02:12 +00:00
class-wp-rest-revisions-controller.php Role/Capability: Use meta caps edit_post, read_post, and delete_post directly. 2020-05-23 15:24:07 +00:00
class-wp-rest-search-controller.php Docs: Improve inline comments per the documentation standards. 2020-01-29 00:45:18 +00:00
class-wp-rest-settings-controller.php General: Remove “whitelist” and “blacklist” in favor of more clear and inclusive language. 2020-06-22 17:26:13 +00:00
class-wp-rest-taxonomies-controller.php Docs: Improve inline comments per the documentation standards. 2020-01-29 00:45:18 +00:00
class-wp-rest-terms-controller.php Docs: Spell "falsey" in a consistent way. 2020-07-02 11:30:02 +00:00
class-wp-rest-themes-controller.php REST API: Remove specific multi-type schema handling from the themes controller. 2020-07-05 01:06:02 +00:00
class-wp-rest-users-controller.php REST API: Issue a _doing_it_wrong when registering a route without a permission callback. 2020-07-21 12:03:05 +00:00