Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add capability check to Custom Results API endpoints. #3004

Merged
merged 2 commits into from
Sep 19, 2022
Merged

Add capability check to Custom Results API endpoints. #3004

merged 2 commits into from
Sep 19, 2022

Conversation

JakePT
Copy link
Contributor

@JakePT JakePT commented Sep 16, 2022

Description of the Change

Adds a capability check to Custom Results API endpoints used for editing results sets. While those endpoints only return content that's normally publicly accessible the endpoints could inadvertently expose protected content that was not adequately protected. Since the endpoints do not need to be publicly available they can be restricted by the same capability required for accessing the admin page.

Closes #3001

How to test the Change

  1. Accessing /wp-json/elasticpress/v1/pointer_search?s=abc in the browser should return a 401.
  2. The search fields when creating a custom results set should function as normal.

Changelog Entry

Changed - The endpoints used for managing custom results are no longer publicly accessible.

Credits

Props @JakePT , @PypWalters

Checklist:

  • I agree to follow this project's Code of Conduct.
  • I have updated the documentation accordingly.
  • I have added tests to cover my change.
  • All new and existing tests pass.

@JakePT JakePT self-assigned this Sep 16, 2022
@JakePT JakePT added this to the 4.3.1 milestone Sep 16, 2022
@JakePT JakePT changed the title Add capability check to API endpoints. Add capability check to Custom Results API endpoints. Sep 16, 2022
@felipeelia felipeelia merged commit 176b4b7 into develop Sep 19, 2022
@felipeelia felipeelia deleted the fix/3001 branch September 19, 2022 17:36
@burhandodhy burhandodhy mentioned this pull request Sep 23, 2022
Merged
4 tasks
rebeccahum added a commit to Automattic/ElasticPress that referenced this pull request Nov 9, 2022
@rebeccahum
Pull in 10up#3004
4a75ee6
rebeccahum added a commit to Automattic/ElasticPress that referenced this pull request Nov 9, 2022
@rebeccahum
Pull in 10up#3004 (#181)
b44d015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@felipeelia felipeelia Awaiting requested review from felipeelia

Assignees

@JakePT JakePT

Labels
None yet
Projects
None yet
Milestone
4.3.1
Development

Successfully merging this pull request may close these issues.

BUG: Custom Results REST API endpoints have no permissions check
2 participants
@JakePT @felipeelia