Making WordPress.org

Changeset 1552


Ignore:
Timestamp:
05/07/2015 08:22:00 PM (10 years ago)
Author:
iandunn
Message:

WordCamp JSON API: Whitelist /posts/types and /posts/types/<type> routes.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordcamp.org/public_html/wp-content/mu-plugins/wcorg-json-api.php

    r1544 r1552  
    3535            array( array( $wp_json_posts, 'get_post' ),       WP_JSON_Server::READABLE ),
    3636        ),
    37 
    38         // todo Add /posts/types too, because it's useful for debugging and there's no harm. It has a different array structure than the current ones, though, so this will need some work.
     37        '/posts/types' => array(
     38            array( array( $wp_json_posts, 'get_post_types' ), WP_JSON_Server::READABLE ),
     39        ),
     40        '/posts/types/(?P<type>\w+)' => array(
     41            array( array( $wp_json_posts, 'get_post_type' ),  WP_JSON_Server::READABLE ),
     42        ),
    3943    );
    4044
     
    176180            $speaker_id               = get_post_meta( $prepared_post['ID'], '_wcpt_speaker_id', true );
    177181            $speaker                  = $wp_json_posts->get_post( $speaker_id );
    178             $prepared_post['speaker'] = is_a( $speaker, 'WP_JSON_Response' ) ? $speaker : null;
     182            $prepared_post['speaker'] = is_a( $speaker, 'WP_JSON_Response' ) ? $speaker : null; // todo Add multiple speakers when upgrade to v2 of the API bug, see #1020-meta
    179183            break;
    180184    }
     
    275279add_action( 'wp_json_server_before_serve', 'wcorg_json_avoid_nested_callback_conflicts', 11 );    // after the default endpoints are added in `json_api_default_filters()`
    276280
     281
    277282/*
    278283 * WP-CLI Commands
     
    293298
    294299            // These calls are not formatted in a more compact way because we don't want to short-circuit any of them if one fails
     300            if ( $this->post_types_exposed() ) {
     301                $errors = true;
     302            }
     303
    295304            if ( $this->post_meta_exposed() ) {
    296305                $errors = true;
     
    305314                WP_CLI::success( 'All of the tests passed. If the tests are comprehensive and working properly, then all sensitive data has been properly scrubbed.' );
    306315            }
     316        }
     317
     318        /**
     319         * Check if any sensitive post types are being exposed.
     320         *
     321         * See note in post_meta_exposed() about test data.
     322         *
     323         * @return bool
     324         */
     325        protected function post_types_exposed() {
     326            $errors = false;
     327
     328            WP_CLI::line();
     329            WP_CLI::line( 'Checking post types.' );
     330
     331            // Check Central and a normal site, because they can have different types loaded
     332            $post_types_endpoints = array(
     333                'http://central.wordcamp.org/wp-json/posts/types',
     334                'http://europe.wordcamp.org/2014/wp-json/posts/types',
     335            );
     336
     337            $whitelisted_post_types = array(
     338                'post', 'page', 'attachment', 'revision', 'wcb_speaker', 'wcb_session', 'wcb_sponsor', 'mes',
     339                'mes-sponsor-level', 'wordcamp'
     340            );
     341
     342            foreach ( $post_types_endpoints as $request_url ) {
     343                $request_url = apply_filters( 'wcorg_json_api_verify_data_scrubbed_url', $request_url );    // Use this filter to override the URLs with corresponding endpoints on your sandbox
     344                $response    = json_decode( wp_remote_retrieve_body( wp_remote_get( $request_url ) ) );
     345
     346                if ( empty( $response->post->slug ) ) {
     347                    $errors = true;
     348                    WP_CLI::warning( "Unable to retrieve post types from $request_url", false );
     349                    continue;
     350                }
     351
     352                foreach ( $response as $post_type ) {
     353                    if ( in_array( $post_type->slug, $whitelisted_post_types ) ) {
     354                        WP_CLI::line( "{$post_type->slug} is whitelisted." );
     355                    } else {
     356                        $errors = true;
     357                        WP_CLI::warning( "{$post_type->slug} is being exposed at $request_url" );
     358                    }
     359                }
     360            }
     361
     362            return $errors;
    307363        }
    308364
Note: See TracChangeset for help on using the changeset viewer.