WordPress.org

Making WordPress.org

Changeset 6226


Ignore:
Timestamp:
12/03/2017 10:01:27 PM (7 months ago)
Author:
coreymckrill
Message:

WordCamp Coming Soon: Disable anonymous REST requests in Coming Soon mode

This prevents the REST API from sending successful responses to unauthenticated
requests while Coming Soon mode is active, thus preventing the site's content
from being publicly accessible via REST.

Props RMarks, icaleb, briandichiara
Fixes #2934

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordcamp.org/public_html/wp-content/plugins/wordcamp-coming-soon-page/classes/wordcamp-coming-soon-page.php

    r6014 r6226  
    99     */
    1010    public function __construct() {
    11         add_action( 'init',               array( $this, 'init' ), 11 );                               // after WCCSP_Settings::init()
    12         add_action( 'wp_enqueue_scripts', array( $this, 'manage_plugin_theme_stylesheets' ), 99 );    // (hopefully) after all plugins/themes have enqueued their styles
    13         add_action( 'wp_head',            array( $this, 'render_dynamic_styles' ) );
    14         add_filter( 'template_include',   array( $this, 'override_theme_template' ) );
    15         add_action( 'template_redirect',  array( $this, 'disable_jetpacks_open_graph' ) );
    16         add_action( 'admin_bar_menu',     array( $this, 'admin_bar_menu_item' ), 1000 );
    17         add_action( 'admin_head',         array( $this, 'admin_bar_styling' ) );
    18         add_action( 'wp_head',            array( $this, 'admin_bar_styling' ) );
    19         add_action( 'admin_notices',      array( $this, 'block_new_post_admin_notice' ) );
    20         add_filter( 'get_post_metadata',  array( $this, 'jetpack_dont_email_post_to_subs' ), 10, 4 );
     11        add_action( 'init',                       array( $this, 'init' ), 11 );                               // after WCCSP_Settings::init()
     12        add_action( 'wp_enqueue_scripts',         array( $this, 'manage_plugin_theme_stylesheets' ), 99 );    // (hopefully) after all plugins/themes have enqueued their styles
     13        add_action( 'wp_head',                    array( $this, 'render_dynamic_styles' ) );
     14        add_filter( 'template_include',           array( $this, 'override_theme_template' ) );
     15        add_action( 'template_redirect',          array( $this, 'disable_jetpacks_open_graph' ) );
     16        add_filter( 'rest_authentication_errors', array( $this, 'disable_rest_endpoints' ) );
     17        add_action( 'admin_bar_menu',             array( $this, 'admin_bar_menu_item' ), 1000 );
     18        add_action( 'admin_head',                 array( $this, 'admin_bar_styling' ) );
     19        add_action( 'wp_head',                    array( $this, 'admin_bar_styling' ) );
     20        add_action( 'admin_notices',              array( $this, 'block_new_post_admin_notice' ) );
     21        add_filter( 'get_post_metadata',          array( $this, 'jetpack_dont_email_post_to_subs' ), 10, 4 );
    2122
    2223        add_image_size( 'wccsp_image_medium_rectangle', 500, 300 );
     
    117118            add_filter( 'jetpack_enable_open_graph', '__return_false' );
    118119        }
     120    }
     121
     122    /**
     123     * Disable the REST API for unauthenticated requests when the Coming Soon page is active.
     124     */
     125    public function disable_rest_endpoints( $access ) {
     126        if ( $this->override_theme_template ) {
     127            return new WP_Error(
     128                'rest_cannot_access',
     129                __( 'The REST API is not available while the site is in Coming Soon mode.', 'wordcamporg' ),
     130                array( 'status' => 403 )
     131            );
     132        }
     133
     134        return $access;
    119135    }
    120136
Note: See TracChangeset for help on using the changeset viewer.