[wp-trac] [WordPress Trac] #56079: Internal rest_do_request calls for posts/CPTs with status of anything but "published" should not need authentication
WordPress Trac
noreply at wordpress.org
Sun Jun 2 21:53:56 UTC 2024
#56079: Internal rest_do_request calls for posts/CPTs with status of anything but
"published" should not need authentication
--------------------------+-----------------------
Reporter: mkormendy | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: REST API | Version:
Severity: normal | Resolution: invalid
Keywords: | Focuses: rest-api
--------------------------+-----------------------
Changes (by TimothyBlynJacobs):
* status: new => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
Thanks for the ticket @mkormendy.
I appreicate while this would be helpful for you. But this is simply not
how the REST API has been designed. An internal request shouldn't behave
differently from a global one. Changing that at this point would be a
security issue. For instance, the Batch API utilizes `rest_do_request` and
relies on endpoints to perform their authentication checks.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56079#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list