From 91e88ac421ca6d35f4349a6fd33e4b831116bc34 Mon Sep 17 00:00:00 2001 From: ingeniumed Date: Tue, 4 Jun 2024 14:58:07 +1000 Subject: [PATCH 1/3] Add the capability check to the preview endpoint to prevent it from being accessible to unauthenticated users --- CHANGELOG.md | 3 +++ classes/class-wpcom-liveblog-rest-api.php | 2 +- liveblog.php | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5abc25e0..e237a156 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog +## 1.9.7 +* Add a capability check to the preview endpoint, to prevent unauthenticated users from accessing it + ## 1.9.6 * Revert #597, restoring `get_fields_for_render()` that is being used in some implementations (#639) diff --git a/classes/class-wpcom-liveblog-rest-api.php b/classes/class-wpcom-liveblog-rest-api.php index acb493bb..ec666329 100644 --- a/classes/class-wpcom-liveblog-rest-api.php +++ b/classes/class-wpcom-liveblog-rest-api.php @@ -180,12 +180,12 @@ public static function register_routes() { array( 'methods' => WP_REST_Server::CREATABLE, 'callback' => array( __CLASS__, 'format_preview_entry' ), + 'permission_callback' => array( 'WPCOM_Liveblog', 'current_user_can_edit_liveblog' ), 'args' => array( 'entry_content' => array( 'required' => true, ), ), - 'permission_callback' => '__return_true', ) ); diff --git a/liveblog.php b/liveblog.php index 96eb957e..59eac1de 100644 --- a/liveblog.php +++ b/liveblog.php @@ -4,7 +4,7 @@ * Plugin Name: Liveblog * Plugin URI: http://wordpress.org/extend/plugins/liveblog/ * Description: Empowers website owners to provide rich and engaging live event coverage to a large, distributed audience. - * Version: 1.9.6 + * Version: 1.9.7 * Author: WordPress.com VIP, Big Bite Creative and contributors * Author URI: https://github.com/Automattic/liveblog/graphs/contributors * Text Domain: liveblog @@ -26,7 +26,7 @@ final class WPCOM_Liveblog { /** Constants *************************************************************/ - const VERSION = '1.9.6'; + const VERSION = '1.9.7'; const REWRITES_VERSION = 1; const MIN_WP_VERSION = '4.4'; const MIN_WP_REST_API_VERSION = '4.4'; From a2ff5b9c64ee4d0e9b001147a078766073e6e1b1 Mon Sep 17 00:00:00 2001 From: ingeniumed Date: Thu, 6 Jun 2024 11:04:53 +1000 Subject: [PATCH 2/3] Guard the authors, hashtag read endpoints as well as the ajax preview entry endpoint --- classes/class-wpcom-liveblog-rest-api.php | 2 ++ liveblog.php | 2 ++ 2 files changed, 4 insertions(+) diff --git a/classes/class-wpcom-liveblog-rest-api.php b/classes/class-wpcom-liveblog-rest-api.php index ec666329..e6ed90b2 100644 --- a/classes/class-wpcom-liveblog-rest-api.php +++ b/classes/class-wpcom-liveblog-rest-api.php @@ -205,6 +205,7 @@ public static function register_routes() { array( 'methods' => WP_REST_Server::READABLE, 'callback' => array( __CLASS__, 'get_authors' ), + 'permission_callback' => array( 'WPCOM_Liveblog', 'current_user_can_edit_liveblog' ), 'args' => array( 'term' => array( 'required' => false, @@ -230,6 +231,7 @@ public static function register_routes() { array( 'methods' => WP_REST_Server::READABLE, 'callback' => array( __CLASS__, 'get_hashtag_terms' ), + 'permission_callback' => array( 'WPCOM_Liveblog', 'current_user_can_edit_liveblog' ), 'args' => array( 'term' => array( 'required' => false, diff --git a/liveblog.php b/liveblog.php index 59eac1de..843ecd82 100644 --- a/liveblog.php +++ b/liveblog.php @@ -917,6 +917,8 @@ public static function flatten_entries( $entries ) { } public static function ajax_preview_entry() { + self::ajax_current_user_can_edit_liveblog(); + $entry_content = isset( $_REQUEST['entry_content'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['entry_content'] ) ) : ''; // input var ok $entry_content = self::format_preview_entry( $entry_content ); From 20ba9fe8350a74b6c36ba00e094c6d0e747c61ed Mon Sep 17 00:00:00 2001 From: ingeniumed Date: Thu, 6 Jun 2024 11:35:31 +1000 Subject: [PATCH 3/3] Update release tag and remove duplicate permission callback --- CHANGELOG.md | 2 +- README.md | 2 +- classes/class-wpcom-liveblog-rest-api.php | 2 -- readme.txt | 2 +- 4 files changed, 3 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e237a156..1c2a7bf6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ # Changelog ## 1.9.7 -* Add a capability check to the preview endpoint, to prevent unauthenticated users from accessing it +* Adds a capability check to the preview, authors and hashtag endpoint to prevent unauthenticated calls (#685) ## 1.9.6 diff --git a/README.md b/README.md index 9069a8c5..f7fc29f3 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ * Requires at least: 4.4 * Requires PHP: 5.6 * Tested up to: 4.9.8 -* Stable tag: 1.9.6 +* Stable tag: 1.9.7 * License: GPLv2 or later * License URI: http://www.gnu.org/licenses/gpl-2.0.html diff --git a/classes/class-wpcom-liveblog-rest-api.php b/classes/class-wpcom-liveblog-rest-api.php index e6ed90b2..bb1480fe 100644 --- a/classes/class-wpcom-liveblog-rest-api.php +++ b/classes/class-wpcom-liveblog-rest-api.php @@ -211,7 +211,6 @@ public static function register_routes() { 'required' => false, ), ), - 'permission_callback' => '__return_true', ) ); @@ -237,7 +236,6 @@ public static function register_routes() { 'required' => false, ), ), - 'permission_callback' => '__return_true', ) ); diff --git a/readme.txt b/readme.txt index 524bd5bd..02bfa7b2 100644 --- a/readme.txt +++ b/readme.txt @@ -4,7 +4,7 @@ Tags: liveblog Requires at least: 4.4 Requires PHP: 5.6 Tested up to: 5.8 -Stable tag: 1.9.6 +Stable tag: 1.9.7 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html