rest api - permission_callback has no effect

admin管理员组

文章数量:1277899

WP version is 5.5.3

I have 3 API routes set in a plugin that is used in an admin dashboard page. One route is meant to be used "publicly".

I have two very curious issues happening:

1. My 3 admin-centric routes do not specify permission_callback. I should be getting notices but I do not when the docs and WP core functions say it will throw a doing_it_wrong error.
2. My 4th public route does have 'permission_callback' => '__return_true' set. I receive a rest_not_logged_in error code.

class My_Plugin
{
    public function __construct()
    {
        add_action( 'rest_api_init', [ &$this, 'register_routes' ] );
    }
    
    public function register_routes(): void
    {
        register_rest_route('my-api-route', '/uri', [
            'methods' => WP_REST_Server::READABLE,
            'callback' => [&$this, 'api_get_available_stuff'],
        ]);

        register_rest_route('my-api-route', "/uri/(?P<param>[a-zA-Z0-9-]+)", [
            'methods' => WP_REST_Server::READABLE,
            'callback' => [&$this, 'api_get_specific_stuff'],
        ]);

        register_rest_route('my-api-route', "/uri/(?P<param>[0-9-]+)", [
            'methods' => WP_REST_Server::EDITABLE,
            'callback' => [&$this, 'api_update_specific_stuff'],
        ]);

        register_rest_route('my-api-route', "/uri/(?P<param>[a-zA-Z0-9-]+)/load-more", [
            'methods' => WP_REST_Server::READABLE,
            'callback' => [&$this, 'api_load_more_stuff'],
            'permission_callback' => '__return_true',
        ]);
    }
}

// header approach
$.ajax({
  url: '/wp-json/my-api-route/uri/param/load-more',
  method: 'GET',
  headers: {
    'X-WP-Nonce': '<?php echo wp_create_nonce('wp_rest'); ?>'
  },
  data: {
    'max_items': 5,
    'offset': 5 * current_count,
  },
})

// _wpnonce approach
$.ajax({
  url: '/wp-json/my-api-route/uri/param/load-more',
  method: 'GET',
  data: {
    '_wpnonce': '<?php echo wp_create_nonce('wp_rest'); ?>',
    'max_items': 5,
    'offset': 5 * current_count,
  },
})

My only conclusion could be that, despite seeing "Version 5.5.3" in the bottom corner of WP Admin, I might not actually be on 5.5.3.

WP version is 5.5.3

I have 3 API routes set in a plugin that is used in an admin dashboard page. One route is meant to be used "publicly".

I have two very curious issues happening:

1. My 3 admin-centric routes do not specify permission_callback. I should be getting notices but I do not when the docs and WP core functions say it will throw a doing_it_wrong error.
2. My 4th public route does have 'permission_callback' => '__return_true' set. I receive a rest_not_logged_in error code.

class My_Plugin
{
    public function __construct()
    {
        add_action( 'rest_api_init', [ &$this, 'register_routes' ] );
    }
    
    public function register_routes(): void
    {
        register_rest_route('my-api-route', '/uri', [
            'methods' => WP_REST_Server::READABLE,
            'callback' => [&$this, 'api_get_available_stuff'],
        ]);

        register_rest_route('my-api-route', "/uri/(?P<param>[a-zA-Z0-9-]+)", [
            'methods' => WP_REST_Server::READABLE,
            'callback' => [&$this, 'api_get_specific_stuff'],
        ]);

        register_rest_route('my-api-route', "/uri/(?P<param>[0-9-]+)", [
            'methods' => WP_REST_Server::EDITABLE,
            'callback' => [&$this, 'api_update_specific_stuff'],
        ]);

        register_rest_route('my-api-route', "/uri/(?P<param>[a-zA-Z0-9-]+)/load-more", [
            'methods' => WP_REST_Server::READABLE,
            'callback' => [&$this, 'api_load_more_stuff'],
            'permission_callback' => '__return_true',
        ]);
    }
}

// header approach
$.ajax({
  url: '/wp-json/my-api-route/uri/param/load-more',
  method: 'GET',
  headers: {
    'X-WP-Nonce': '<?php echo wp_create_nonce('wp_rest'); ?>'
  },
  data: {
    'max_items': 5,
    'offset': 5 * current_count,
  },
})

// _wpnonce approach
$.ajax({
  url: '/wp-json/my-api-route/uri/param/load-more',
  method: 'GET',
  data: {
    '_wpnonce': '<?php echo wp_create_nonce('wp_rest'); ?>',
    'max_items': 5,
    'offset': 5 * current_count,
  },
})

My only conclusion could be that, despite seeing "Version 5.5.3" in the bottom corner of WP Admin, I might not actually be on 5.5.3.

• rest-api
• permissions
• nonce

Share Improve this question asked Dec 2, 2020 at 21:56 James WagonerJames Wagoner 1111 silver badge22 bronze badges 6

• "I should be getting notices but I do not when the docs and WP core functions say it will throw a doing_it_wrong error." Where does it say that? If you don't have a permissions callback, the route will be public. – Jacob Peattie Commented Dec 2, 2020 at 23:34
• For reference: developer.wordpress/rest-api/extending-the-rest-api/… – Timothy Jacobs Commented Dec 3, 2020 at 5:26
• 1. "functions say it will throw a doing_it_wrong error" - yes, but only if you enable debugging, i.e. WP_DEBUG is true. 2. "I receive a rest_not_logged_in error code" - maybe that's being returned from your api_load_more_stuff() function - check for rest_not_logged_in in your callbacks. – Sally CJ Commented Dec 3, 2020 at 8:39
• @SallyCJ load_more_stuff is running a query and returning the array. No other logic. – James Wagoner Commented Dec 3, 2020 at 19:16
• Heading in a different direction currently to where this issue becomes irrelevant. Still would like to know why this is happening but being frank, I don't care enough when needing to keep moving. However, gonna keep checking back to see if others have thoughts. – James Wagoner Commented Dec 3, 2020 at 19:28

 |  Show 1 more comment

1 Answer 1

Sorted by: Reset to default 1

Are you sure that a _doing_it_wrong notice isn't being issued? You won't see the notice visibly output on the page because that would break the JSON response. But if you look in the headers of the response you should see a X-WP-DoingItWrong header.

It should also appear if you use a plugin like this to record developer notices: https://wordpress/plugins/log-deprecated-notices/

本文标签： rest apipermissioncallback has no effect