[wp-trac] [WordPress Trac] #44711: Try Gutenberg: Clicking Install can result in a 500 error
WordPress Trac
noreply at wordpress.org
Fri Aug 3 02:29:41 UTC 2018
#44711: Try Gutenberg: Clicking Install can result in a 500 error
-------------------------------+-----------------------------
Reporter: pento | Owner: pento
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 4.9.9
Component: Administration | Version: 4.9.8
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses: administration
-------------------------------+-----------------------------
Comment (by pbiron):
Replying to [comment:7 pbiron]:
> Replying to [comment:6 pento]:
> > Oh, I see how that's happening. Is `/wp-json/*` a default setting
there?
>
> No.
>
> I had a number of malicious attacks against several sites I manage by
bots probing for various REST-API vulnerabilities. And since "normal"
usage of these sites had no need for the REST-API, I added that rule.
Adding that rule was kind of the lazy way out.
What I should have done was something like:
{{{#!php
add_filter( 'rest_authentication_errors', 'shc_rest_authentication_errors'
);
/**
* Restrict REST-API requests to logged in users
*
* @param string $error Authentication error
* @return string|WP_Error
*/
function shc_rest_authentication_errors( $error ) {
if ( ! empty( $error ) || is_user_logged_in() ) {
return $error;
}
return new WP_Error(
'rest_not_logged_in',
'You must be logged in to access this resource.',
array( 'status' => 401 )
);
}
}}}
which I will change all my sites to in the morning when I've had a chance
to test it a little bit.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44711#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list