Changeset 1544

Timestamp:

05/05/2015 11:22:45 PM (11 years ago)

Author:

iandunn

Message:

WordCamp JSON API: Create whitelisted endpoint array from scratch.

This essentially reverts [wordcamp1972], so that we are creating a new array and populating it with whitelisted items, instead of traversing the original array and removing blacklisted items.

The previous approach was taken because at the time it appeared we would need to access endpoint variables that were not available globally -- such as $wp_json_post_meta -- but it turns out that we don't, and this approach is much simpler. In order to add new endpoints like posts/types, which have a different array structure than the currently supported ones, it would have been necessary to significantly increase the complexity of the traversal logic. With this approach, adding new endpoints is straightforward, regardless of structural inconsistencies.

File:

• sites/trunk/wordcamp.org/public_html/wp-content/mu-plugins/wcorg-json-api.php (modified) (1 diff)

sites/trunk/wordcamp.org/public_html/wp-content/mu-plugins/wcorg-json-api.php

@@ -23 +23 @@
  */
 function wcorg_json_whitelist_endpoints( $endpoints ) {
+    global $wp_json_server, $wp_json_posts;
+
     $whitelisted_endpoints = array(
-        '/posts'             => array( 'get_posts' ),
-        '/posts/(?P<id>\d+)' => array( 'get_post'  ),
+        '/' => array( array( $wp_json_server, 'get_index' ),  WP_JSON_Server::READABLE ),
+
+        // Posts
+        '/posts' => array(
+            array( array( $wp_json_posts, 'get_posts' ),      WP_JSON_Server::READABLE ),
+        ),
+        '/posts/(?P<id>\d+)' => array(
+            array( array( $wp_json_posts, 'get_post' ),       WP_JSON_Server::READABLE ),
+        ),
+
         // todo Add /posts/types too, because it's useful for debugging and there's no harm. It has a different array structure than the current ones, though, so this will need some work.
     );
 
-    foreach ( $endpoints as $endpoint => $endpoint_data ) {
-        /*
-         * Don't attempt to scan '/' because it has a different array structure than normal endpoints and is
-         * unlikely to expose anything sensitive.
-         */
-        if ( '/' == $endpoint ) {
-            continue;
-        }
-
-        if ( array_key_exists( $endpoint, $whitelisted_endpoints ) ) {
-            // Allow the endpoint, but remove any of its callbacks that aren't whitelisted and read-only
-
-            foreach ( $endpoint_data as $callback_index => $callback ) {
-                $callback_name        = $callback[0][1];
-                $callback_permissions = $callback[1];
-
-                if ( ! in_array( $callback_name, $whitelisted_endpoints[ $endpoint ] ) || WP_JSON_Server::READABLE != $callback_permissions ) {
-                    unset( $endpoints[ $endpoint ][ $callback_index ] );
-                }
-            }
-        } else {
-            // Remove endpoints that aren't whitelisted
-
-            unset( $endpoints[ $endpoint ] );
-        }
-    }
-
-    return $endpoints;
+    return $whitelisted_endpoints;
 }
 add_filter( 'json_endpoints', 'wcorg_json_whitelist_endpoints', 999 );