added options to require authentication for core endpoints

RichCodesign · Dec 13, 2016 · 340e59a · 340e59a
1 parent 8dd12c8
commit 340e59a
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 1 deletion.
diff --git a/includes/class-rest-api-toolbox-common.php b/includes/class-rest-api-toolbox-common.php
@@ -26,6 +26,8 @@ static public function plugins_loaded() {
 			add_filter( 'rest_endpoints',               array( __CLASS__, 'remove_all_core_endpoints'), 100, 1 );
 			add_filter( 'rest_endpoints',               array( __CLASS__, 'remove_selected_core_endpoints'), 100, 1 );
 
+			// Filter hook to require authentication for specific endpoints.
+			add_filter( 'rest_pre_dispatch',            array( __CLASS__, 'endpoint_requires_authentication_filter' ), 100, 3 );
 		}
 
 		/**
@@ -112,7 +114,7 @@ static public function rest_authentication_errors_filter( $error ) {
 				$disable_rest_api = REST_API_Toolbox_Settings::setting_is_enabled( 'general', 'disable-rest-api' );
 
 				if ( $disable_rest_api ) {
-					$error = new WP_Error( 'rest_disabled', __( 'The REST API is disabled on this site.' ) );
+					$error = new WP_Error( 'rest_disabled', __( 'The REST API is disabled on this site.' ), array( 'status' => 404 ) );
 				}
 			}
 
@@ -233,6 +235,39 @@ static public function remove_endpoint( $routes, $remove_endpoint ) {
 			return $routes;
 		}
 
+		/**
+		 * Filter hook to require authentication on specific endpoints.
+		 *
+		 * @param mixed           $result      Response to replace the requested version with. Can be anything
+		 *                                     a normal endpoint can return, or null to not hijack the request.
+		 * @param WP_REST_Server  $rest_server Server instance.
+		 * @param WP_REST_Request $request     Request used to generate the response.
+		 * @return mixed
+		 */
+		static public function endpoint_requires_authentication_filter( $result, $rest_server, $request ) {
+
+			// Get the route for the request.
+			$route = $request->get_route();
+
+			// Get the settings for core.
+			$core_settings = get_option( REST_API_Toolbox_Settings::options_key( 'core' ) );
+			$key = 'require-authentication|' . $route;
+
+			// See if this route is configured to require authentication and
+			// if there is a current user logged in.
+			if ( ! empty( $core_settings ) && isset( $core_settings[ $key ] ) && '1' === $core_settings[ $key ] && ! is_user_logged_in() ) {
+
+				// Return a WP_Error is authentication is required but there
+				// is no current user logged in.
+				$result = new WP_Error(
+					'rest_cannot_view',
+					sprintf( __( 'The REST API route %s requires authentication on this site.', 'rest-api-toolbox' ), $route ),
+					array( 'status' => 401 )
+				);
+			}
+
+			return $result;
+		}
 
 	}
 

diff --git a/includes/settings/class-rest-api-toolbox-settings-core.php b/includes/settings/class-rest-api-toolbox-settings-core.php
@@ -34,13 +34,24 @@ static public function register_core_settings() {
 			$endpoints = REST_API_Toolbox_Common::core_endpoints();
 
 			foreach( $endpoints as $endpoint ) {
+
+				// Add yes/no options to remove the endpoint.
 				$name = 'remove-endpoint|/' . $namespace . '/' . $endpoint;
 				add_settings_field( $name, sprintf( __( 'Remove Endpoint: %s', 'rest-api-toolbox' ), $endpoint),
 					array( __CLASS__, 'settings_yes_no' ),
 					$key,
 					$section,
 					array( 'key' => $key, 'name' => $name, 'after' => '' )
 					);
+
+				// Add yes/no options to require authentication.
+				$name = 'require-authentication|/' . $namespace . '/' . $endpoint;
+				add_settings_field( $name, sprintf( __( 'Require Authentication: %s', 'rest-api-toolbox' ), $endpoint),
+					array( __CLASS__, 'settings_yes_no' ),
+					$key,
+					$section,
+					array( 'key' => $key, 'name' => $name, 'after' => '' )
+					);
 			}
 
 		}