You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Reference: https://core.trac.wordpress.org/ticket/50075 plus its comments. Observe that this design deficiency directly led to security vulnerabilities in at least three very popular plugins.
The tl;dr is that it was a mistake for the permission_callback argument to not be required when registering a REST API endpoint, for a few reasons:
It makes it easy for a developer to overlook permissions as they aren't required to explicitly implement a permissions check
It makes it easy for a typo in the property name to go unnoticed (arguably more of a schema validation problem, but still)
The same concerns apply to the permission_callback argument when registering an ability. This argument should be made mandatory and registration of an ability should fail hard when not present.
Reference: https://core.trac.wordpress.org/ticket/50075 plus its comments. Observe that this design deficiency directly led to security vulnerabilities in at least three very popular plugins.
The tl;dr is that it was a mistake for the
permission_callbackargument to not be required when registering a REST API endpoint, for a few reasons:The same concerns apply to the
permission_callbackargument when registering an ability. This argument should be made mandatory and registration of an ability should fail hard when not present.