From 91e88ac421ca6d35f4349a6fd33e4b831116bc34 Mon Sep 17 00:00:00 2001 From: ingeniumed Date: Tue, 4 Jun 2024 14:58:07 +1000 Subject: [PATCH] Add the capability check to the preview endpoint to prevent it from being accessible to unauthenticated users --- CHANGELOG.md | 3 +++ classes/class-wpcom-liveblog-rest-api.php | 2 +- liveblog.php | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5abc25e0..e237a156 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog +## 1.9.7 +* Add a capability check to the preview endpoint, to prevent unauthenticated users from accessing it + ## 1.9.6 * Revert #597, restoring `get_fields_for_render()` that is being used in some implementations (#639) diff --git a/classes/class-wpcom-liveblog-rest-api.php b/classes/class-wpcom-liveblog-rest-api.php index acb493bb..ec666329 100644 --- a/classes/class-wpcom-liveblog-rest-api.php +++ b/classes/class-wpcom-liveblog-rest-api.php @@ -180,12 +180,12 @@ public static function register_routes() { array( 'methods' => WP_REST_Server::CREATABLE, 'callback' => array( __CLASS__, 'format_preview_entry' ), + 'permission_callback' => array( 'WPCOM_Liveblog', 'current_user_can_edit_liveblog' ), 'args' => array( 'entry_content' => array( 'required' => true, ), ), - 'permission_callback' => '__return_true', ) ); diff --git a/liveblog.php b/liveblog.php index 96eb957e..59eac1de 100644 --- a/liveblog.php +++ b/liveblog.php @@ -4,7 +4,7 @@ * Plugin Name: Liveblog * Plugin URI: http://wordpress.org/extend/plugins/liveblog/ * Description: Empowers website owners to provide rich and engaging live event coverage to a large, distributed audience. - * Version: 1.9.6 + * Version: 1.9.7 * Author: WordPress.com VIP, Big Bite Creative and contributors * Author URI: https://github.com/Automattic/liveblog/graphs/contributors * Text Domain: liveblog @@ -26,7 +26,7 @@ final class WPCOM_Liveblog { /** Constants *************************************************************/ - const VERSION = '1.9.6'; + const VERSION = '1.9.7'; const REWRITES_VERSION = 1; const MIN_WP_VERSION = '4.4'; const MIN_WP_REST_API_VERSION = '4.4';