From fa1eb0db5be821d67922f03a73693e0965eb8f68 Mon Sep 17 00:00:00 2001
From: Jeremy Herve <jeremy@jeremy.hu>
Date: Mon, 22 Apr 2024 21:01:50 +0200
Subject: [PATCH] Debug Helper: restrict REST API access to site admins.
 (#36999)

---
 .../changelog/update-debug-helper-rest-route-permissions      | 4 ++++
 projects/plugins/debug-helper/modules/class-cookie-state.php  | 4 +++-
 projects/plugins/debug-helper/modules/class-mocker.php        | 4 +++-
 3 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 projects/plugins/debug-helper/changelog/update-debug-helper-rest-route-permissions

diff --git a/projects/plugins/debug-helper/changelog/update-debug-helper-rest-route-permissions b/projects/plugins/debug-helper/changelog/update-debug-helper-rest-route-permissions
new file mode 100644
index 0000000000000..563cd88ad9297
--- /dev/null
+++ b/projects/plugins/debug-helper/changelog/update-debug-helper-rest-route-permissions
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+REST API: restrict access to authenticated site admins
diff --git a/projects/plugins/debug-helper/modules/class-cookie-state.php b/projects/plugins/debug-helper/modules/class-cookie-state.php
index 5e47bceea18cc..5ee3d496252ad 100644
--- a/projects/plugins/debug-helper/modules/class-cookie-state.php
+++ b/projects/plugins/debug-helper/modules/class-cookie-state.php
@@ -49,7 +49,9 @@ public function register_endpoints() {
 			array(
 				'methods'             => WP_REST_Server::EDITABLE,
 				'callback'            => array( $this, 'save' ),
-				'permission_callback' => '__return_true',
+				'permission_callback' => function () {
+						return current_user_can( 'manage_options' );
+				},
 				'args'                => array(
 					'key'   => array(
 						'description' => 'The state key.',
diff --git a/projects/plugins/debug-helper/modules/class-mocker.php b/projects/plugins/debug-helper/modules/class-mocker.php
index ab62ce0198ef4..604b7ab787382 100644
--- a/projects/plugins/debug-helper/modules/class-mocker.php
+++ b/projects/plugins/debug-helper/modules/class-mocker.php
@@ -51,7 +51,9 @@ public function register_endpoints() {
 			array(
 				'methods'             => WP_REST_Server::READABLE,
 				'callback'            => array( $this, 'run' ),
-				'permission_callback' => '__return_true',
+				'permission_callback' => function () {
+						return current_user_can( 'manage_options' );
+				},
 			)
 		);
 	}