-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmrk-rest-permisssions.php
101 lines (93 loc) · 3.35 KB
/
mrk-rest-permisssions.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
<?php
/**
* Plugin Name: MRK Rest Permissions
* Plugin URI: https://www.mrkwp.com
* Description: MRK Rest Permissions by MRK WP.
* Author: MRK WP
* Author URI: https://www.mrkwp.com
* Text Domain: mrk-rest-permissions
* Domain Path: /languages
* Version: 1.0.2
* PHP version: 8.3
*
* @category Plugin
* @package MRK_Rest_Permissions
* @author Matt Knighton <[email protected]>
* @license GPL 2.0 https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html
* @link https://www.mrkwp.com
*/
// If this file is called firectly, abort!!!
defined( 'ABSPATH' ) or die( 'No Access!' );
/**
* The code that runs during plugin activation.
*
* @return void
*/
function activate_mrk_rest_permissions_plugin() {
flush_rewrite_rules();
}
register_activation_hook( __FILE__, 'activate_mrk_rest_permissions_plugin' );
/**
* The code that runs during plugin deactivation.
*
* @return void
*/
function deactivate_mrk_rest_permissions_plugin() {
flush_rewrite_rules();
}
register_deactivation_hook( __FILE__, 'deactivate_mrk_rest_permissions_plugin' );
/**
* Permission Callback to throw a 401 error on rest API for user endpoints.
* Callback should be called from an Init with any role checks already complete.
*
* @param [type] $existing_callback // The existing callback for permission on REST Endpoint.
* @return callback function.
*/
function mrk_permission_callback_hardener( $existing_callback ) {
return function ( $request ) use( $existing_callback ) {
return new WP_Error(
'rest_user_cannot_view',
__( 'Sorry, you are not allowed to access users.' ),
array( 'status' => rest_authorization_required_code() )
);
};
}
/**
* Add permission to all user endpoints inside REST API.
* Function should be called from an Init with any role checks already complete.
*
* @param array $endpoints A string containing the users endpoint.
*
* @return array $endpoints adjusted with new permission callback hardener.
*/
function mrk_add_permission_rest_users( $endpoints ) {
if ( isset( $endpoints['/wp/v2/users'] ) ) {
// Get permission callback part from rest object endpoint.
$users_get_route = &$endpoints['/wp/v2/users'][0];
// Bind new permission to users endpoint to create 401 if not logged in.
$users_get_route['permission_callback'] = mrk_permission_callback_hardener( $users_get_route['permission_callback'] );
}
if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
// Get permission callback part from rest object endpoint.
$user_get_route = &$endpoints['/wp/v2/users/(?P<id>[\d]+)'][0];
// Bind new permission to user/id endpoint to create 401 if not logged in.
$user_get_route['permission_callback'] = mrk_permission_callback_hardener( $user_get_route['permission_callback'] );
}
return $endpoints;
}
/**
* Initialise the tool and add end point when user cannot edit posts.
* Need to use INIT as current_user_can return false when called over rest API context as pluggable functions may not be available.
* After permission check run function to edit the rest endpoints.
*
* @return void
*/
function mrk_auth_rest_endpoints() {
// check if function exists as its pluggable.
if ( function_exists( 'current_user_can' ) ) {
if ( ! current_user_can( 'edit_posts' ) ) {
add_filter( 'rest_endpoints', 'mrk_add_permission_rest_users' );
}
}
}
add_action( 'init', 'mrk_auth_rest_endpoints' );