WordPress/wp-includes/rest-api
TimothyBlynJacobs b8d5e161eb REST API: Issue a _doing_it_wrong when registering a route without a permission callback.
The REST API treats routes without a permission_callback as public. Because this happens without any warning to the user, if the permission callback is unintentionally omitted or misspelled, the endpoint can end up being available to the public. Such a scenario has happened multiple times in the wild, and the results can be catostrophic when it occurs.

For REST API routes that are intended to be public, it is recommended to set the permission callback to the `__return_true` built in function.

Fixes #50075.
Props rmccue, sorenbronsted, whyisjake, SergeyBiryukov, TimothyBlynJacobs.

Built from https://develop.svn.wordpress.org/trunk@48526


git-svn-id: http://core.svn.wordpress.org/trunk@48288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-21 12:03:05 +00:00
..
endpoints REST API: Issue a _doing_it_wrong when registering a route without a permission callback. 2020-07-21 12:03:05 +00:00
fields Docs: Synchronize and correct documentation for various metadata functions and filters. 2020-07-09 11:26:07 +00:00
search REST API: Use new rest_get_route_for_post() in the post search handler. 2020-07-07 15:31:02 +00:00
class-wp-rest-request.php Docs: Remove an empty line between @param and @return tags, per the documentation standards. 2020-06-20 11:18:09 +00:00
class-wp-rest-response.php Docs: Improve inline comments per the documentation standards. 2020-01-29 00:45:18 +00:00
class-wp-rest-server.php REST API: Add Content-Disposition, Content-MD5 and X-WP-Nonce as allowed cors headers. 2020-07-12 19:37:12 +00:00