Debug Helper: restrict REST API access to site admins. (#36999)

Automattic · Apr 22, 2024 · fa1eb0d · fa1eb0d
1 parent 20a2ce1
commit fa1eb0d
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/projects/plugins/debug-helper/changelog/update-debug-helper-rest-route-permissions b/projects/plugins/debug-helper/changelog/update-debug-helper-rest-route-permissions
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+REST API: restrict access to authenticated site admins
diff --git a/projects/plugins/debug-helper/modules/class-cookie-state.php b/projects/plugins/debug-helper/modules/class-cookie-state.php
@@ -49,7 +49,9 @@ public function register_endpoints() {
 			array(
 				'methods'             => WP_REST_Server::EDITABLE,
 				'callback'            => array( $this, 'save' ),
-				'permission_callback' => '__return_true',
+				'permission_callback' => function () {
+						return current_user_can( 'manage_options' );
+				},
 				'args'                => array(
 					'key'   => array(
 						'description' => 'The state key.',

diff --git a/projects/plugins/debug-helper/modules/class-mocker.php b/projects/plugins/debug-helper/modules/class-mocker.php
@@ -51,7 +51,9 @@ public function register_endpoints() {
 			array(
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => array( $this, 'run' ),
-				'permission_callback' => '__return_true',
+				'permission_callback' => function () {
+						return current_user_can( 'manage_options' );
+				},
 			)
 		);
 	}