Internal, non-HTTP REST request

szepeviktor / waf4wordpress

WAF for WordPress 🔥 with 60+ security checks and weekly updates

https://github.com/szepeviktor/wordpress-website-lifecycle

MIT License

123 stars 25 forks source link

Internal, non-HTTP REST request #13

Closed szepeviktor closed 2 months ago

szepeviktor commented 2 months ago

In the rest_post_dispatch filter I have an authentication problem for editors. https://github.com/szepeviktor/waf4wordpress/blob/5938f721e6cb23562b4f2bdae44ef57c68ea3d00/src/CoreEvents.php#L447-L451 Editor don't have list_users permission.

Could WP have an internal REST request in an HTTP GET /wp-admin/post-new.php request?
How to detect that it is not an HTTP REST request but an internal one?

@johnbillion Please help me.

szepeviktor commented 2 months ago

workaround: adding && $route !== '/wp/v2/users/me'

johnbillion commented 2 months ago

I'm not sure what you're asking, but if you want to detect an internal REST API request you unfortunately might need to look at the request with wp_is_json_request(). Although a REST API HTTP request could still perform an internal REST API request, so you'd need to account for that.

szepeviktor commented 2 months ago

Thank you for your comment. I decided - instead of deleting WordPress from the Internet - to bail out early in the filter hook when wp_is_json_request() returns false.