admin管理员组文章数量:1316010
I'm writing some code that updates options using update_option
using the REST API and apiFetch.
I'm used to doing this using AJAX where I would pass a nonce along in the request to my PHP function, as well as check for current user capabilities.
Using the REST API and apiFetch feels much better than using AJAX, but I feel like I'm missing something when it comes to security.
Here's an idea of what I'm doing:
register_rest_route(
$namespace,
'/update_settings/',
array(
'methods' => WP_REST_Server::EDITABLE,
'callback' => array( $this, 'update_settings' ),
'permission_callback' => array( $this, 'update_settings_permission' ),
)
);
My permission_callback
looks like this:
public function update_settings_permission() {
if ( ! current_user_can( 'manage_options' ) ) {
return $this->error( 'user_dont_have_permission', __( 'You do not have permission to change options.' ) );
}
return true;
}
My update_settings function looks like this:
public function update_settings( WP_REST_Request $request ) {
$new_settings = $request->get_param( 'settings' );
if ( is_array( $new_settings ) ) {
$current_settings = get_option( 'my_options', array() );
update_option( 'my_options', array_merge( $current_settings, $new_settings ) );
}
return $this->success( true );
}
And then the request itself is quite standard:
apiFetch( {
path: 'namespace/v1/update_settings',
method: 'POST',
data: {
settings: this.state.settings,
},
} ).then( ( result ) => {
// all done.
} );
This all works perfectly, but it seems too easy. Should I be passing a nonce along somewhere? It seems like apiFetch has some middlewares that include a nonce - is this all done for us by default?
I'm writing some code that updates options using update_option
using the REST API and apiFetch.
I'm used to doing this using AJAX where I would pass a nonce along in the request to my PHP function, as well as check for current user capabilities.
Using the REST API and apiFetch feels much better than using AJAX, but I feel like I'm missing something when it comes to security.
Here's an idea of what I'm doing:
register_rest_route(
$namespace,
'/update_settings/',
array(
'methods' => WP_REST_Server::EDITABLE,
'callback' => array( $this, 'update_settings' ),
'permission_callback' => array( $this, 'update_settings_permission' ),
)
);
My permission_callback
looks like this:
public function update_settings_permission() {
if ( ! current_user_can( 'manage_options' ) ) {
return $this->error( 'user_dont_have_permission', __( 'You do not have permission to change options.' ) );
}
return true;
}
My update_settings function looks like this:
public function update_settings( WP_REST_Request $request ) {
$new_settings = $request->get_param( 'settings' );
if ( is_array( $new_settings ) ) {
$current_settings = get_option( 'my_options', array() );
update_option( 'my_options', array_merge( $current_settings, $new_settings ) );
}
return $this->success( true );
}
And then the request itself is quite standard:
apiFetch( {
path: 'namespace/v1/update_settings',
method: 'POST',
data: {
settings: this.state.settings,
},
} ).then( ( result ) => {
// all done.
} );
This all works perfectly, but it seems too easy. Should I be passing a nonce along somewhere? It seems like apiFetch has some middlewares that include a nonce - is this all done for us by default?
Share Improve this question asked Nov 15, 2020 at 0:57 TomTom 234 bronze badges 1 |1 Answer
Reset to default 0This all works perfectly, but it seems too easy. Should I be passing a nonce along somewhere?
No
It seems like apiFetch has some middlewares that include a nonce - is this all done for us by default?
Yes.
If your endpoint requires a nonce and apiFetch
did not provide it, then apiFetch
would not work. Authenticated endpoints using cookie based auth require nonces.
Remember, the REST API authentication and security is server side. apiFetch
is client side. apiFetch
cannot magically bypass the server side checks unless you deliberately added such a bypass. If you had, you would know about it and you would not have asked this question, as that would require a considerable amount of effort and intention to do.
There are security issues here, but they are unrelated to apiFetch
. The use of apiFetch
has not reduced your security.
本文标签: rest apiapiFetch security
版权声明:本文标题:rest api - apiFetch security 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741994192a2409711.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
settings
rather thanupdate_settings
, as it's the HTTP method not the name of the endpoint that's meant to indicate the action, e.g.GET
retrieves data,POST
/UPDATE
/PUT
adds or updates data,DELETE
deletes it – Tom J Nowell ♦ Commented Nov 15, 2020 at 1:13