[wp-trac] [WordPress Trac] #43998: REST API: Permit unbounded per_page=-1 requests for authorized users
WordPress Trac
noreply at wordpress.org
Mon May 7 22:50:29 UTC 2018
#43998: REST API: Permit unbounded per_page=-1 requests for authorized users
-----------------------------+------------------------------------------
Reporter: danielbachhuber | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 4.9.7
Component: REST API | Version:
Severity: normal | Keywords: needs-patch needs-unit-tests
Focuses: rest-api |
-----------------------------+------------------------------------------
Currently, the REST API limits `GET` collection queries (e.g. `GET
/wp/v2/users`) to a `per_page` value between 1 and 100. The decision
protects a WordPress site from a resource-exhaustion DOS attack; unbounded
queries can cause significant performance problems.
However, this limit negatively impacts Gutenberg, because there are
contexts in which Gutenberg needs access to ''all'' items (e.g. the author
drop-down). Given the significant accessibility challenges in producing a
lazy-load implementation, a reasonable alternative is to permit unbounded
`per_page=-1` requests for authorized users. In this case, an authorized
user can be defined as:
{{{
$can_unbounded_request = false;
$types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
foreach ( $types as $type ) {
if ( current_user_can( $type->cap->edit_posts ) ) {
$can_unbounded_request = true;
}
}
}}}
See conversation in https://github.com/WordPress/gutenberg/issues/6180 for
the backstory.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43998>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list