admin管理员组

文章数量:1327750

I'm trying to assert current_user_can() in the permission_callback method of a register_rest_route function. However, it always returns false.

Upon further debugging, I see that wp_get_current_user() function returns ID zero, which probably means the $current_user global isn't available at the moment of execution.

That means this example from the documentation shouldn't work:

<?php
add_action( 'rest_api_init', function () {
    register_rest_route( 'myplugin/v1', '/author/(?P<id>\d+)', array(
        'methods' => 'GET',
        'callback' => 'my_awesome_func',
        'args' => array(
            'id' => array(
                'validate_callback' => 'is_numeric'
            ),
        ),
        'permission_callback' => function () {
            return current_user_can( 'edit_others_posts' );
        }
    ) );
} );

And indeed it doesn't.

Further debugging:

<?php
// muplugins/test.php
add_action('rest_api_init', function() {

    // Works. Returns current WP_User.
    wp_get_current_user();

    // Works. Returns current WP_User.
    global $current_user;

    register_rest_route('test', 'user', [
       'methods' => 'GET',

        // In a closure. Does not work. Returns zero.
       'callback' => function() {
           var_dump(wp_get_current_user());exit;
       },

        // In a class. Does not work. Returns zero.
        'callback' => [new Something, 'test_wp_get_current_user_in_a_class'], 

        // In a function. Does not work. Returns zero.
        'callback' => 'test_wp_get_current_user',

        'permission_callback' => function() {
            // Does not work. Returns zero.
            wp_get_current_user();

            // Does not work. Returns zero.
            global $current_user;
            $current_user->ID;
        }
    ]);
});

function test_wp_get_current_user()
{
    var_dump(wp_get_current_user());exit;
}

class Something
{
    public function test_wp_get_current_user_in_a_class()
    {
        var_dump(wp_get_current_user());exit;
    }
}

How can I use current_user_can() inside register_rest_route()? Or yet, should I?

I'm trying to assert current_user_can() in the permission_callback method of a register_rest_route function. However, it always returns false.

Upon further debugging, I see that wp_get_current_user() function returns ID zero, which probably means the $current_user global isn't available at the moment of execution.

That means this example from the documentation shouldn't work:

<?php
add_action( 'rest_api_init', function () {
    register_rest_route( 'myplugin/v1', '/author/(?P<id>\d+)', array(
        'methods' => 'GET',
        'callback' => 'my_awesome_func',
        'args' => array(
            'id' => array(
                'validate_callback' => 'is_numeric'
            ),
        ),
        'permission_callback' => function () {
            return current_user_can( 'edit_others_posts' );
        }
    ) );
} );

And indeed it doesn't.

Further debugging:

<?php
// muplugins/test.php
add_action('rest_api_init', function() {

    // Works. Returns current WP_User.
    wp_get_current_user();

    // Works. Returns current WP_User.
    global $current_user;

    register_rest_route('test', 'user', [
       'methods' => 'GET',

        // In a closure. Does not work. Returns zero.
       'callback' => function() {
           var_dump(wp_get_current_user());exit;
       },

        // In a class. Does not work. Returns zero.
        'callback' => [new Something, 'test_wp_get_current_user_in_a_class'], 

        // In a function. Does not work. Returns zero.
        'callback' => 'test_wp_get_current_user',

        'permission_callback' => function() {
            // Does not work. Returns zero.
            wp_get_current_user();

            // Does not work. Returns zero.
            global $current_user;
            $current_user->ID;
        }
    ]);
});

function test_wp_get_current_user()
{
    var_dump(wp_get_current_user());exit;
}

class Something
{
    public function test_wp_get_current_user_in_a_class()
    {
        var_dump(wp_get_current_user());exit;
    }
}

How can I use current_user_can() inside register_rest_route()? Or yet, should I?

Share Improve this question edited May 29, 2019 at 21:49 Lucas Bustamante asked Nov 28, 2018 at 20:23 Lucas BustamanteLucas Bustamante 2,3481 gold badge28 silver badges43 bronze badges 3
  • 2 The answer right here might help: stackoverflow/questions/47455745/… – czerspalace Commented Nov 28, 2018 at 21:43
  • 1 Or the docs on Authentication: developer.wordpress/rest-api/using-the-rest-api/… You need to send the nonce, or the user is not signed in. – Jacob Peattie Commented Nov 29, 2018 at 10:07
  • This is correct. Do you mind posting an answer so I can accept it? – Lucas Bustamante Commented Nov 29, 2018 at 10:15
Add a comment  | 

1 Answer 1

Reset to default 3

You need to pass the wp_rest nonce with the JavaScript request that you send to REST.

This nonce is what passes the information from PHP to JavaScript about which user is making the request.

Example:

<form>
    <input type="text" name="rest_auth_nonce" value="<?= esc_attr( wp_create_nonce( 'wp_rest' ) ) ?>">
</form>

<script>
    jQuery.ajax({
        beforeSend: function (xhr) {
            xhr.setRequestHeader('X-WP-Nonce', jQuery('form').find('input[name="rest_auth_nonce"]').val());
        }
    });
</script>

本文标签: rest apiHow to use currentusercan() in registerrestroute()