*/
public function check_authentication() {
/**
- * Pass an authentication error to the API
+ * Filters REST authentication errors.
*
* This is used to pass a WP_Error from an authentication method back to
* the API.
*/
$this->send_header( 'X-Content-Type-Options', 'nosniff' );
$this->send_header( 'Access-Control-Expose-Headers', 'X-WP-Total, X-WP-TotalPages' );
- $this->send_header( 'Access-Control-Allow-Headers', 'Authorization' );
+ $this->send_header( 'Access-Control-Allow-Headers', 'Authorization, Content-Type' );
/**
* Send nocache headers on authenticated requests.
* Filters whether the REST API is enabled.
*
* @since 4.4.0
+ * @deprecated 4.7.0 Use the rest_authentication_errors filter to restrict access to the API
*
* @param bool $rest_enabled Whether the REST API is enabled. Default true.
*/
- $enabled = apply_filters( 'rest_enabled', true );
+ apply_filters_deprecated( 'rest_enabled', array( true ), '4.7.0', 'rest_authentication_errors', __( 'The REST API can no longer be completely disabled, the rest_authentication_errors can be used to restrict access to the API, instead.' ) );
/**
* Filters whether jsonp is enabled.
$jsonp_callback = null;
- if ( ! $enabled ) {
- echo $this->json_error( 'rest_disabled', __( 'The REST API is disabled on this site.' ), 404 );
- return false;
- }
if ( isset( $_GET['_jsonp'] ) ) {
if ( ! $jsonp_enabled ) {
echo $this->json_error( 'rest_callback_disabled', __( 'JSONP support is disabled on this site.' ), 400 );
$jsonp_callback = $_GET['_jsonp'];
if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) {
- echo $this->json_error( 'rest_callback_invalid', __( 'The JSONP callback function is invalid.' ), 400 );
+ echo $this->json_error( 'rest_callback_invalid', __( 'Invalid JSONP callback function.' ), 400 );
return false;
}
}
}
if ( $jsonp_callback ) {
- // Prepend '/**/' to mitigate possible JSONP Flash attacks
+ // Prepend '/**/' to mitigate possible JSONP Flash attacks.
// https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
echo '/**/' . $jsonp_callback . '(' . $result . ')';
} else {
continue;
}
- // Relation now changes from '$uri' to '$curie:$relation'
+ // Relation now changes from '$uri' to '$curie:$relation'.
$rel_regex = str_replace( '\{rel\}', '(.+)', preg_quote( $curie['href'], '!' ) );
preg_match( '!' . $rel_regex . '!', $rel, $matches );
if ( $matches ) {
// Determine if any real links were found.
$has_links = count( array_filter( $embeds ) );
+
if ( $has_links ) {
$embedded[ $rel ] = $embeds;
}
* @param string $namespace Namespace.
* @param string $route The REST route.
* @param array $route_args Route arguments.
- * @param bool $override Optional. Whether the route should be overriden if it already exists.
+ * @param bool $override Optional. Whether the route should be overridden if it already exists.
* Default false.
*/
public function register_route( $namespace, $route, $route_args, $override = false ) {
// Allow comma-separated HTTP methods.
if ( is_string( $handler['methods'] ) ) {
$methods = explode( ',', $handler['methods'] );
- } else if ( is_array( $handler['methods'] ) ) {
+ } elseif ( is_array( $handler['methods'] ) ) {
$methods = $handler['methods'];
} else {
$methods = array();
}
}
}
+
return $endpoints;
}
$check_required = $request->has_valid_params();
if ( is_wp_error( $check_required ) ) {
$response = $check_required;
+ } else {
+ $check_sanitized = $request->sanitize_params();
+ if ( is_wp_error( $check_sanitized ) ) {
+ $response = $check_sanitized;
+ }
}
-
- $request->sanitize_params();
}
+ /**
+ * Filters the response before executing any REST API callbacks.
+ *
+ * Allows plugins to perform additional validation after a
+ * request is initialized and matched to a registered route,
+ * but before it is executed.
+ *
+ * Note that this filter will not be called for requests that
+ * fail to authenticate or match to a registered route.
+ *
+ * @since 4.7.0
+ *
+ * @param WP_HTTP_Response $response Result to send to the client. Usually a WP_REST_Response.
+ * @param WP_REST_Server $handler ResponseHandler instance (usually WP_REST_Server).
+ * @param WP_REST_Request $request Request used to generate the response.
+ */
+ $response = apply_filters( 'rest_request_before_callbacks', $response, $handler, $request );
+
if ( ! is_wp_error( $response ) ) {
// Check permission specified on the route.
if ( ! empty( $handler['permission_callback'] ) ) {
if ( is_wp_error( $permission ) ) {
$response = $permission;
- } else if ( false === $permission || null === $permission ) {
+ } elseif ( false === $permission || null === $permission ) {
$response = new WP_Error( 'rest_forbidden', __( 'Sorry, you are not allowed to do that.' ), array( 'status' => 403 ) );
}
}
}
}
+ /**
+ * Filters the response immediately after executing any REST API
+ * callbacks.
+ *
+ * Allows plugins to perform any needed cleanup, for example,
+ * to undo changes made during the {@see 'rest_request_before_callbacks'}
+ * filter.
+ *
+ * Note that this filter will not be called for requests that
+ * fail to authenticate or match to a registered route.
+ *
+ * Note that an endpoint's `permission_callback` can still be
+ * called after this filter - see `rest_send_allow_header()`.
+ *
+ * @since 4.7.0
+ *
+ * @param WP_HTTP_Response $response Result to send to the client. Usually a WP_REST_Response.
+ * @param WP_REST_Server $handler ResponseHandler instance (usually WP_REST_Server).
+ * @param WP_REST_Request $request Request used to generate the response.
+ */
+ $response = apply_filters( 'rest_request_after_callbacks', $response, $handler, $request );
+
if ( is_wp_error( $response ) ) {
$response = $this->error_to_response( $response );
} else {
if ( isset( $opts['description'] ) ) {
$arg_data['description'] = $opts['description'];
}
+ if ( isset( $opts['type'] ) ) {
+ $arg_data['type'] = $opts['type'];
+ }
+ if ( isset( $opts['items'] ) ) {
+ $arg_data['items'] = $opts['items'];
+ }
$endpoint_data['args'][ $key ] = $arg_data;
}
}
scripts.mit.edu / autoinstalls / wordpress.git / blobdiff