Skip to content

Commit

Permalink
Merge pull request #168 from 10up/rest-api-allow-list
Browse files Browse the repository at this point in the history
Add tenup_experience_rest_api_allowlist filter for overriding allowed…
  • Loading branch information
tlovett1 authored Sep 24, 2024
2 parents 6a15dbe + fe9c4d2 commit a6e63a7
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 7 deletions.
4 changes: 2 additions & 2 deletions 10up-experience.php
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
* Plugin Name: 10up Experience
* Plugin URI: https://github.com/10up/10up-experience
* Description: The 10up Experience plugin configures WordPress to better protect and inform clients, aligned to 10up’s best practices.
* Version: 1.12.0
* Version: 1.12.1
* Author: 10up
* Author URI: https://10up.com
* License: GPLv2 or later
Expand All @@ -19,7 +19,7 @@

use YahnisElsts\PluginUpdateChecker\v5\PucFactory;

define( 'TENUP_EXPERIENCE_VERSION', '1.12.0' );
define( 'TENUP_EXPERIENCE_VERSION', '1.12.1' );
define( 'TENUP_EXPERIENCE_DIR', __DIR__ );
define( 'TENUP_EXPERIENCE_FILE', __FILE__ );

Expand Down
11 changes: 10 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,16 @@

All notable changes to this project will be documented in this file, per [the Keep a Changelog standard](http://keepachangelog.com/).

## [1.12.1] - 2024-09-24

- Add filter for allowlisting specific API routes `tenup_experience_rest_api_allowlist`

## [1.12.0] - 2024-08-22

- Add UI for disabling comments

## [1.11.2] - 2024-06-15

- Remove production setting

## [1.11.1] - 2023-10-27
Expand Down Expand Up @@ -201,7 +210,7 @@ All notable changes to this project will be documented in this file, per [the Ke

- Initial release

[Unreleased]: https://github.com/10up/10up-experience/compare/master...develop
[unreleased]: https://github.com/10up/10up-experience/compare/master...develop
[1.7.3]: https://github.com/10up/10up-experience/compare/1.7.2...1.7.3
[1.7.2]: https://github.com/10up/10up-experience/compare/1.7.1...1.7.2
[1.7.1]: https://github.com/10up/10up-experience/compare/1.7...1.7.1
Expand Down
18 changes: 14 additions & 4 deletions includes/classes/API/API.php
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ public function restrict_rest_api( $result ) {

$restrict = get_option( 'tenup_restrict_rest_api', $this->option_default );

if ( 'all' === $restrict && ! $this->user_can_access_rest_api() ) {
if ( 'all' === $restrict && ! $this->can_access_rest_api() ) {
return new \WP_Error( 'rest_api_restricted', esc_html__( 'Authentication Required', 'tenup' ), array( 'status' => rest_authorization_required_code() ) );
}

Expand All @@ -71,7 +71,7 @@ public function restrict_user_endpoints( $endpoints ) {
return $endpoints;
}

if ( ! $this->user_can_access_rest_api() ) {
if ( ! $this->can_access_rest_api() ) {
$keys = preg_grep( '/\/wp\/v2\/users\b/', array_keys( $endpoints ) );

foreach ( $keys as $key ) {
Expand Down Expand Up @@ -143,8 +143,18 @@ public function restrict_rest_api_ui() {
* @param int $user_id User ID
* @return bool Whether the given user can access the REST API
*/
public function user_can_access_rest_api( $user_id = 0 ) {
return is_user_logged_in();
public function can_access_rest_api( $user_id = 0 ) {
global $wp;

$route = '';

if ( isset( $wp->query_vars['rest_route'] ) ) {
$route = $wp->query_vars['rest_route'];
}

$allowed_rest_routes_override = apply_filters( 'tenup_experience_rest_api_allowlist', [] );

return is_user_logged_in() || in_array( $route, $allowed_rest_routes_override, true );
}

/**
Expand Down

0 comments on commit a6e63a7

Please sign in to comment.