[wp-trac] [WordPress Trac] #38446: Deprecate the rest_enabled filter

WordPress Trac noreply at wordpress.org
Mon Oct 24 01:33:42 UTC 2016

#38446: Deprecate the rest_enabled filter
 Reporter:  pento                                |       Owner:
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  4.7
Component:  REST API                             |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  needs-patch needs-unit-tests needs-  |     Focuses:
  docs needs-dev-note                            |

Comment (by rmccue):

 I am -1 on removing this, for a few reasons.

 1. I think we should give people enough rope to hang themselves if they
 really want. The fact is that the REST API does introduce a new attack
 surface (the Flash XSS exploit for example).
 2. The admin should be designed to work without JavaScript, and hence
 without the REST API. For people that disable the API, the progressive
 enhancement should drop back to standard interactions.

 That said, there is a way to remove the endpoints without needing to use
 this filter:
 remove_action( 'rest_api_init', 'create_initial_rest_routes', 99 );

 I think we should start publicising this method rather than the
 sledgehammer that is `rest_enabled`.

 @dmchale Maybe you could switch your plugin to that method? Unsure if
 that's changing the functionality too much.

Ticket URL: <https://core.trac.wordpress.org/ticket/38446#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list