Version Description
- Tested for WP v4.8
- Tested for PHP 5.3+
- Added settings screen
- Site Admins may now whitelist routes that they wish to allow unauthenticated access to
- Added
dra_allow_rest_api
filter to the is_logged_in() check, so developers can get more granular with permissions - Props to @tangrufus for all of the help that went into this release
Download this release
Release Info
Developer | dmchale |
Plugin | Disable REST API |
Version | 1.4 |
Comparing to | |
See all releases |
Code changes from version 1.3 to 1.4
- admin.php +95 -0
- classes/disable-rest-api.php +215 -0
- classes/index.php +2 -0
- disable-json-api.php +18 -52
- functions/index.php +2 -0
- functions/legacy.php +16 -0
- index.php +2 -0
- languages/index.php +2 -0
- readme.txt +41 -23
- uninstall.php +18 -0
admin.php
ADDED
@@ -0,0 +1,95 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<style>
|
2 |
+
#DRA_container ul li {
|
3 |
+
padding-left: 20px;
|
4 |
+
}
|
5 |
+
|
6 |
+
#DRA_container em {
|
7 |
+
font-size: 0.8em;
|
8 |
+
}
|
9 |
+
</style>
|
10 |
+
|
11 |
+
<script>
|
12 |
+
function dra_namespace_click(namespace, id) {
|
13 |
+
if (jQuery('#dra_namespace_' + id).is(":checked")) {
|
14 |
+
jQuery("input[data-namespace='" + namespace + "']").prop('checked', true);
|
15 |
+
} else {
|
16 |
+
jQuery("input[data-namespace='" + namespace + "']").prop('checked', false);
|
17 |
+
}
|
18 |
+
};
|
19 |
+
</script>
|
20 |
+
|
21 |
+
<div class="wrap">
|
22 |
+
<h1><?php echo esc_html__( "Disable REST API", "disable-json-api" ); ?></h1>
|
23 |
+
<?php settings_errors( 'DRA-notices' ); ?>
|
24 |
+
<p><?php echo esc_html__( "By default, this plugin ensures that the entire REST API is protected from non-authenticated users. You may use this page to specify which endpoints should be allowed to behave as normal.", "disable-json-api" ); ?></p>
|
25 |
+
<p>
|
26 |
+
<strong><?php echo esc_html__( "IMPORTANT NOTE:", "disable-json-api" ); ?></strong> <?php echo esc_html__( "Checking a box merely restores default functionality to an endpoint . Other authentication and/or permissions may still be required for access, or other themes / plugins may also affect access to those endpoints. ", "disable - json - api" ); ?>
|
27 |
+
</p>
|
28 |
+
|
29 |
+
<form method="post" action="" id="DRA_form">
|
30 |
+
<?php wp_nonce_field( 'DRA_admin_nonce' ); ?>
|
31 |
+
|
32 |
+
<div id="DRA_container"><?php DRA_display_route_checkboxes(); ?></div>
|
33 |
+
|
34 |
+
<?php submit_button(); ?>
|
35 |
+
<input type="submit" name="reset"
|
36 |
+
value="<?php echo esc_attr__( "Reset Whitelisted Routes", "disable-json-api" ); ?>"
|
37 |
+
onclick="return confirm('<?php echo esc_attr__( "Are you sure you wish to clear all whitelisted rules?", "disable-json-api" ); ?>');">
|
38 |
+
</form>
|
39 |
+
</div>
|
40 |
+
|
41 |
+
<?php
|
42 |
+
/**
|
43 |
+
* Loop through all routes returned by the REST API and display them on-screen
|
44 |
+
*
|
45 |
+
*/
|
46 |
+
function DRA_display_route_checkboxes() {
|
47 |
+
$wp_rest_server = rest_get_server();
|
48 |
+
$all_namespaces = $wp_rest_server->get_namespaces();
|
49 |
+
$all_routes = array_keys( $wp_rest_server->get_routes() );
|
50 |
+
$whitelisted_routes = is_array( get_option( 'DRA_route_whitelist' ) ) ? get_option( 'DRA_route_whitelist' ) : array();
|
51 |
+
|
52 |
+
$loopCounter = 0;
|
53 |
+
$current_namespace = '';
|
54 |
+
|
55 |
+
foreach ( $all_routes as $route ) {
|
56 |
+
$is_route_namespace = in_array( ltrim( $route, "/" ), $all_namespaces );
|
57 |
+
$checkedProp = DRA_get_route_checked_prop( $route, $whitelisted_routes );
|
58 |
+
|
59 |
+
if ( $is_route_namespace || "/" == $route ) {
|
60 |
+
$current_namespace = $route;
|
61 |
+
if ( 0 != $loopCounter ) {
|
62 |
+
echo "</ul>";
|
63 |
+
}
|
64 |
+
|
65 |
+
$route_for_display = ( "/" == $route ) ? "/ <em>" . esc_html__( "REST API ROOT", "disable-json-api" ) . "</em>" : esc_html( $route );
|
66 |
+
echo "<h2><label><input name='rest_routes[]' value='$route' type='checkbox' id='dra_namespace_$loopCounter' onclick='dra_namespace_click(\"$route\", $loopCounter)' $checkedProp> $route_for_display</label></h2><ul>";
|
67 |
+
|
68 |
+
if ( "/" == $route ) {
|
69 |
+
echo "<li>" . sprintf( esc_html__( "On this website, the REST API root is %s", "disable-json-api" ), "<strong>" . rest_url() . "</strong>" ) . "</li>";
|
70 |
+
}
|
71 |
+
|
72 |
+
} else {
|
73 |
+
echo "<li><label><input name='rest_routes[]' value='$route' type='checkbox' data-namespace='$current_namespace' $checkedProp> " . esc_html( $route ) . "</label></li>";
|
74 |
+
}
|
75 |
+
|
76 |
+
$loopCounter ++;
|
77 |
+
}
|
78 |
+
echo "</ul>";
|
79 |
+
}
|
80 |
+
|
81 |
+
|
82 |
+
/**
|
83 |
+
* During comparison, encode the route being requested in the same fashion that it's stored in the database option
|
84 |
+
* Encoding during save happens in Disable_REST_API::maybe_process_settings_form()
|
85 |
+
*
|
86 |
+
* @param $route
|
87 |
+
* @param $whitelisted_routes
|
88 |
+
*
|
89 |
+
* @return string
|
90 |
+
*/
|
91 |
+
function DRA_get_route_checked_prop( $route, $whitelisted_routes ) {
|
92 |
+
$is_route_checked = in_array( esc_html( $route ), $whitelisted_routes, true );
|
93 |
+
|
94 |
+
return checked( $is_route_checked, true, false );
|
95 |
+
}
|
classes/disable-rest-api.php
ADDED
@@ -0,0 +1,215 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<?php
|
2 |
+
|
3 |
+
/**
|
4 |
+
* Disable_REST_API class
|
5 |
+
*
|
6 |
+
* Most of the work is done in here
|
7 |
+
*/
|
8 |
+
class Disable_REST_API {
|
9 |
+
|
10 |
+
const MENU_SLUG = 'disable_rest_api_settings';
|
11 |
+
const CAPABILITY = 'manage_options';
|
12 |
+
|
13 |
+
/**
|
14 |
+
* Stores 'disable-json-api/disable-json-api.php' typically
|
15 |
+
*
|
16 |
+
* @var string
|
17 |
+
*/
|
18 |
+
private $base_file_path;
|
19 |
+
|
20 |
+
|
21 |
+
/**
|
22 |
+
* Disable_REST_API constructor.
|
23 |
+
*
|
24 |
+
* @param $path
|
25 |
+
*/
|
26 |
+
public function __construct( $path ) {
|
27 |
+
|
28 |
+
// Set variable so the class knows how to reference the plugin
|
29 |
+
$this->base_file_path = plugin_basename( $path );
|
30 |
+
|
31 |
+
add_action( 'admin_menu', array( &$this, 'define_admin_link' ) );
|
32 |
+
|
33 |
+
add_filter( 'rest_authentication_errors', array( &$this, 'whitelist_routes' ), 20 );
|
34 |
+
|
35 |
+
}
|
36 |
+
|
37 |
+
|
38 |
+
/**
|
39 |
+
* Checks for a current route being requested, and processes the whitelist
|
40 |
+
*
|
41 |
+
* @param $access
|
42 |
+
*
|
43 |
+
* @return WP_Error|null|boolean
|
44 |
+
*/
|
45 |
+
public function whitelist_routes( $access ) {
|
46 |
+
|
47 |
+
// Return current value of $access and skip all plugin functionality
|
48 |
+
if ( $this->allow_rest_api() ) {
|
49 |
+
return $access;
|
50 |
+
}
|
51 |
+
|
52 |
+
$current_route = $this->get_current_route();
|
53 |
+
|
54 |
+
if ( ! empty( $current_route ) && ! $this->is_whitelisted( $current_route ) ) {
|
55 |
+
return $this->get_wp_error( $access );
|
56 |
+
}
|
57 |
+
|
58 |
+
return $access;
|
59 |
+
|
60 |
+
}
|
61 |
+
|
62 |
+
|
63 |
+
/**
|
64 |
+
* Current REST route getter.
|
65 |
+
*
|
66 |
+
* @return string
|
67 |
+
*/
|
68 |
+
private function get_current_route() {
|
69 |
+
$rest_route = $GLOBALS['wp']->query_vars['rest_route'];
|
70 |
+
|
71 |
+
return ( empty( $rest_route ) || '/' == $rest_route ) ?
|
72 |
+
$rest_route :
|
73 |
+
untrailingslashit( $rest_route );
|
74 |
+
}
|
75 |
+
|
76 |
+
|
77 |
+
/**
|
78 |
+
* Checks a route for whether it belongs to the whitelist
|
79 |
+
*
|
80 |
+
* @param $currentRoute
|
81 |
+
*
|
82 |
+
* @return boolean
|
83 |
+
*/
|
84 |
+
private function is_whitelisted( $currentRoute ) {
|
85 |
+
|
86 |
+
return array_reduce( $this->get_route_whitelist_option(), function ( $isMatched, $pattern ) use ( $currentRoute ) {
|
87 |
+
return $isMatched || (bool) preg_match( '@^' . htmlspecialchars_decode( $pattern ) . '$@i', $currentRoute );
|
88 |
+
}, false );
|
89 |
+
|
90 |
+
}
|
91 |
+
|
92 |
+
|
93 |
+
/**
|
94 |
+
* Get `DRA_route_whitelist` option array from database
|
95 |
+
*
|
96 |
+
* @return array
|
97 |
+
*/
|
98 |
+
private function get_route_whitelist_option() {
|
99 |
+
|
100 |
+
return (array) get_option( 'DRA_route_whitelist', array() );
|
101 |
+
|
102 |
+
}
|
103 |
+
|
104 |
+
|
105 |
+
/**
|
106 |
+
* Add a menu
|
107 |
+
*
|
108 |
+
* @return void
|
109 |
+
*/
|
110 |
+
public function define_admin_link() {
|
111 |
+
|
112 |
+
add_options_page( esc_html__( 'Disable REST API Settings', 'disable-json-api' ), esc_html__( 'Disable REST API', 'disable-json-api' ), self::CAPABILITY, self::MENU_SLUG, array(
|
113 |
+
&$this,
|
114 |
+
'settings_page'
|
115 |
+
) );
|
116 |
+
add_filter( "plugin_action_links_$this->base_file_path", array( &$this, 'settings_link' ) );
|
117 |
+
|
118 |
+
}
|
119 |
+
|
120 |
+
|
121 |
+
/**
|
122 |
+
* Add Settings Link to plugins page
|
123 |
+
*
|
124 |
+
* @param $links
|
125 |
+
*
|
126 |
+
* @return array
|
127 |
+
*/
|
128 |
+
public function settings_link( $links ) {
|
129 |
+
|
130 |
+
$settings_url = menu_page_url( self::MENU_SLUG );
|
131 |
+
$settings_link = "<a href='$settings_url'>" . esc_html__( "Settings", "disable-json-api" ) . "</a>";
|
132 |
+
array_unshift( $links, $settings_link );
|
133 |
+
|
134 |
+
return $links;
|
135 |
+
}
|
136 |
+
|
137 |
+
|
138 |
+
/**
|
139 |
+
* Menu Callback
|
140 |
+
*
|
141 |
+
* @return void
|
142 |
+
*/
|
143 |
+
public function settings_page() {
|
144 |
+
|
145 |
+
$this->maybe_process_settings_form();
|
146 |
+
|
147 |
+
// Render the settings template
|
148 |
+
include( __DIR__ . "/../admin.php" );
|
149 |
+
|
150 |
+
}
|
151 |
+
|
152 |
+
|
153 |
+
/**
|
154 |
+
* Process the admin page settings form submission
|
155 |
+
*
|
156 |
+
* @return void
|
157 |
+
*/
|
158 |
+
private function maybe_process_settings_form() {
|
159 |
+
|
160 |
+
if ( ! ( isset( $_POST['_wpnonce'] ) && check_admin_referer( 'DRA_admin_nonce' ) ) ) {
|
161 |
+
return;
|
162 |
+
}
|
163 |
+
|
164 |
+
if ( ! current_user_can( self::CAPABILITY ) ) {
|
165 |
+
return;
|
166 |
+
}
|
167 |
+
|
168 |
+
// Catch the routes that should be whitelisted
|
169 |
+
$rest_routes = ( isset( $_POST['rest_routes'] ) ) ?
|
170 |
+
array_map( 'esc_html', wp_unslash( $_POST['rest_routes'] ) ) :
|
171 |
+
null;
|
172 |
+
|
173 |
+
// If resetting or whitelist is empty, clear the option and exit the function
|
174 |
+
if ( empty( $rest_routes ) || isset( $_POST['reset'] ) ) {
|
175 |
+
delete_option( 'DRA_route_whitelist' );
|
176 |
+
add_settings_error( 'DRA-notices', esc_attr( 'settings_updated' ), esc_html__( 'All whitelists have been removed.' ), 'updated' );
|
177 |
+
|
178 |
+
return;
|
179 |
+
}
|
180 |
+
|
181 |
+
// Save whitelist to the Options table
|
182 |
+
update_option( 'DRA_route_whitelist', $rest_routes );
|
183 |
+
add_settings_error( 'DRA-notices', esc_attr( 'settings_updated' ), esc_html__( 'Whitelist settings saved.' ), 'updated' );
|
184 |
+
|
185 |
+
}
|
186 |
+
|
187 |
+
|
188 |
+
/**
|
189 |
+
* Allow carte blanche access for logged-in users (or allow override via filter)
|
190 |
+
*
|
191 |
+
* @return bool
|
192 |
+
*/
|
193 |
+
private function allow_rest_api() {
|
194 |
+
return (bool) apply_filters( 'dra_allow_rest_api', is_user_logged_in() );
|
195 |
+
}
|
196 |
+
|
197 |
+
|
198 |
+
/**
|
199 |
+
* If $access is already a WP_Error object, add our error to the list
|
200 |
+
* Otherwise return a new one
|
201 |
+
*
|
202 |
+
* @param $access
|
203 |
+
*
|
204 |
+
* @return WP_Error
|
205 |
+
*/
|
206 |
+
private function get_wp_error( $access ) {
|
207 |
+
$error_message = esc_html__( 'DRA: Only authenticated users can access the REST API.', 'disable-json-api' );
|
208 |
+
if ( is_wp_error( $access ) ) {
|
209 |
+
return $access->add( 'rest_cannot_access', $error_message, array( 'status' => rest_authorization_required_code() ) );
|
210 |
+
}
|
211 |
+
|
212 |
+
return new WP_Error( 'rest_cannot_access', $error_message, array( 'status' => rest_authorization_required_code() ) );
|
213 |
+
}
|
214 |
+
|
215 |
+
}
|
classes/index.php
ADDED
@@ -0,0 +1,2 @@
|
|
|
|
|
1 |
+
<?php
|
2 |
+
// Silence is golden.
|
disable-json-api.php
CHANGED
@@ -3,64 +3,30 @@
|
|
3 |
* Plugin Name: Disable REST API
|
4 |
* Plugin URI: http://www.binarytemplar.com/disable-json-api
|
5 |
* Description: Disable the use of the JSON REST API on your website to anonymous users
|
6 |
-
* Version: 1.
|
7 |
* Author: Dave McHale
|
8 |
* Author URI: http://www.binarytemplar.com
|
|
|
|
|
9 |
* License: GPL2+
|
10 |
*/
|
11 |
|
12 |
-
|
13 |
-
|
14 |
-
|
15 |
-
DRA_Force_Auth_Error();
|
16 |
-
} else {
|
17 |
-
DRA_Disable_Via_Filters();
|
18 |
-
}
|
19 |
-
|
20 |
-
//\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
|
21 |
-
//\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
|
22 |
-
//\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
|
23 |
-
|
24 |
-
/**
|
25 |
-
* This function is called if the current version of WordPress is 4.7 or above
|
26 |
-
* Forcibly raise an authentication error to the REST API if the user is not logged in
|
27 |
-
*/
|
28 |
-
function DRA_Force_Auth_Error() {
|
29 |
-
add_filter( 'rest_authentication_errors', 'DRA_only_allow_logged_in_rest_access' );
|
30 |
}
|
31 |
|
32 |
-
|
33 |
-
|
34 |
-
|
35 |
-
|
36 |
-
function DRA_Disable_Via_Filters() {
|
37 |
-
|
38 |
-
// Filters for WP-API version 1.x
|
39 |
-
add_filter( 'json_enabled', '__return_false' );
|
40 |
-
add_filter( 'json_jsonp_enabled', '__return_false' );
|
41 |
-
|
42 |
-
// Filters for WP-API version 2.x
|
43 |
-
add_filter( 'rest_enabled', '__return_false' );
|
44 |
-
add_filter( 'rest_jsonp_enabled', '__return_false' );
|
45 |
|
46 |
-
|
47 |
-
|
48 |
-
|
49 |
-
|
50 |
-
|
|
|
|
|
|
|
51 |
}
|
52 |
-
|
53 |
-
/**
|
54 |
-
* Returning an authentication error if a user who is not logged in tries to query the REST API
|
55 |
-
* @param $access
|
56 |
-
* @return WP_Error
|
57 |
-
*/
|
58 |
-
function DRA_only_allow_logged_in_rest_access( $access ) {
|
59 |
-
|
60 |
-
if( ! is_user_logged_in() ) {
|
61 |
-
return new WP_Error( 'rest_cannot_access', __( 'Only authenticated users can access the REST API.', 'disable-json-api' ), array( 'status' => rest_authorization_required_code() ) );
|
62 |
-
}
|
63 |
-
|
64 |
-
return $access;
|
65 |
-
|
66 |
-
}
|
3 |
* Plugin Name: Disable REST API
|
4 |
* Plugin URI: http://www.binarytemplar.com/disable-json-api
|
5 |
* Description: Disable the use of the JSON REST API on your website to anonymous users
|
6 |
+
* Version: 1.4
|
7 |
* Author: Dave McHale
|
8 |
* Author URI: http://www.binarytemplar.com
|
9 |
+
* Text Domain: disable-json-api
|
10 |
+
* Domain Path: /languages
|
11 |
* License: GPL2+
|
12 |
*/
|
13 |
|
14 |
+
// If this file is called directly, abort.
|
15 |
+
if ( ! defined( 'WPINC' ) ) {
|
16 |
+
die;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
17 |
}
|
18 |
|
19 |
+
// Remove REST API info from head and headers
|
20 |
+
remove_action( 'xmlrpc_rsd_apis', 'rest_output_rsd' );
|
21 |
+
remove_action( 'wp_head', 'rest_output_link_wp_head', 10 );
|
22 |
+
remove_action( 'template_redirect', 'rest_output_link_header', 11 );
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
23 |
|
24 |
+
// WordPress 4.7+ disables the REST API via authentication short-circuit.
|
25 |
+
// For versions of WordPress < 4.7, disable the REST API via filters
|
26 |
+
if ( version_compare( get_bloginfo( 'version' ), '4.7', '>=' ) ) {
|
27 |
+
require_once( plugin_dir_path( __FILE__ ) . 'classes/disable-rest-api.php' );
|
28 |
+
new Disable_REST_API( __FILE__ );
|
29 |
+
} else {
|
30 |
+
require_once( plugin_dir_path( __FILE__ ) . 'functions/legacy.php' );
|
31 |
+
DRA_Disable_Via_Filters();
|
32 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
functions/index.php
ADDED
@@ -0,0 +1,2 @@
|
|
|
|
|
1 |
+
<?php
|
2 |
+
// Silence is golden.
|
functions/legacy.php
ADDED
@@ -0,0 +1,16 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<?php
|
2 |
+
/**
|
3 |
+
* This function gets called if the current version of WordPress is less than 4.7
|
4 |
+
* We are able to make use of filters to actually disable the functionality entirely
|
5 |
+
*/
|
6 |
+
function DRA_Disable_Via_Filters() {
|
7 |
+
|
8 |
+
// Filters for WP-API version 1.x
|
9 |
+
add_filter( 'json_enabled', '__return_false' );
|
10 |
+
add_filter( 'json_jsonp_enabled', '__return_false' );
|
11 |
+
|
12 |
+
// Filters for WP-API version 2.x
|
13 |
+
add_filter( 'rest_enabled', '__return_false' );
|
14 |
+
add_filter( 'rest_jsonp_enabled', '__return_false' );
|
15 |
+
|
16 |
+
}
|
index.php
ADDED
@@ -0,0 +1,2 @@
|
|
|
|
|
1 |
+
<?php
|
2 |
+
// Silence is golden.
|
languages/index.php
ADDED
@@ -0,0 +1,2 @@
|
|
|
|
|
1 |
+
<?php
|
2 |
+
// Silence is golden.
|
readme.txt
CHANGED
@@ -1,29 +1,31 @@
|
|
1 |
=== Disable REST API ===
|
2 |
-
Contributors: dmchale
|
3 |
Tags: admin, api, json, REST, rest-api, disable
|
4 |
-
Requires at least: 4.
|
5 |
-
|
6 |
-
|
|
|
7 |
License: GPLv2 or later
|
8 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
9 |
|
10 |
-
Disable the use of the JSON REST API on your website to
|
11 |
|
12 |
== Description ==
|
13 |
|
14 |
-
**
|
15 |
-
|
16 |
-
|
|
|
|
|
|
|
17 |
|
18 |
-
|
19 |
-
|
20 |
-
|
21 |
-
for many reasons, it is also not functionality that every site admin is going to want enabled on their website if not
|
22 |
-
necessary.
|
23 |
|
24 |
For WordPress versions 4.4, 4.5 and 4.6, this plugin makes use of the `rest_enabled` filter provided by the API to
|
25 |
-
disable the API functionality.
|
26 |
-
|
27 |
|
28 |
== Installation ==
|
29 |
|
@@ -34,18 +36,34 @@ area
|
|
34 |
|
35 |
== Frequently Asked Questions ==
|
36 |
|
37 |
-
=
|
|
|
|
|
|
|
|
|
|
|
38 |
|
39 |
-
|
40 |
-
|
41 |
-
|
|
|
|
|
42 |
|
43 |
== Screenshots ==
|
44 |
|
45 |
-
1. The JSON returned by a website
|
|
|
46 |
|
47 |
== Changelog ==
|
48 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
49 |
= 1.3 =
|
50 |
* Tested for WP v4.7
|
51 |
* Adding new functionality to raise authentication errors in 4.7+ for non-logged-in users
|
@@ -62,11 +80,11 @@ should be safe.
|
|
62 |
|
63 |
== Upgrade Notice ==
|
64 |
|
65 |
-
= 1.
|
66 |
-
*
|
67 |
|
68 |
= 1.1 =
|
69 |
* Now with support for the 2.0 beta API filters
|
70 |
|
71 |
= 1.0 =
|
72 |
-
* Initial Release
|
1 |
=== Disable REST API ===
|
2 |
+
Contributors: dmchale, tangrufus
|
3 |
Tags: admin, api, json, REST, rest-api, disable
|
4 |
+
Requires at least: 4.4
|
5 |
+
Requires PHP: 5.3
|
6 |
+
Tested up to: 4.8
|
7 |
+
Stable tag: 1.4
|
8 |
License: GPLv2 or later
|
9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
10 |
|
11 |
+
Disable the use of the JSON REST API on your website to unauthenticated users.
|
12 |
|
13 |
== Description ==
|
14 |
|
15 |
+
** Version 1.4 now supports whitelisting of individual routes within the REST API **
|
16 |
+
|
17 |
+
The engine for the API has existed in WordPress since v4.4, but additional functionality and endpoints are a
|
18 |
+
continual project. While this is very exciting news for many reasons - and many plugins, themes, and even pieces of
|
19 |
+
WordPress core are already beginning to use the REST API - it is also not functionality that every site admin is going
|
20 |
+
to want enabled on their website if not necessary.
|
21 |
|
22 |
+
As of WordPress 4.7, the filters provided for disabling the REST API were removed. To compensate, this plugin will
|
23 |
+
forcibly return an authentication error to any API requests from sources who are not logged into your website, which
|
24 |
+
will effectively still prevent unauthorized requests from using the REST API to get information from your website.
|
|
|
|
|
25 |
|
26 |
For WordPress versions 4.4, 4.5 and 4.6, this plugin makes use of the `rest_enabled` filter provided by the API to
|
27 |
+
disable the API functionality. However, it is strongly recommended that all site owners run the most recent version
|
28 |
+
of WordPress except where absolutely necessary.
|
29 |
|
30 |
== Installation ==
|
31 |
|
36 |
|
37 |
== Frequently Asked Questions ==
|
38 |
|
39 |
+
= How do I know if this plugin is working? =
|
40 |
+
|
41 |
+
While logged into WordPress as any user, the REST API will function as intended. Because of this, you must use a new
|
42 |
+
browser - or Chrome's incognito mode - to test your website with a clean session. Go to yourdomain.com/wp-json/ (or
|
43 |
+
yourdomain.com/?rest_route=/ if you have pretty permalinks disabled) while NOT LOGGED IN to test the results. You will
|
44 |
+
see an authentication error returned if the plugin is active. "DRA: Only authenticated users can access the REST API."
|
45 |
|
46 |
+
= Does this plugin disable all REST API's installed? =
|
47 |
+
|
48 |
+
This plugin is ONLY meant to disable endpoints accessible via the default REST API that is part of WordPress itself. If
|
49 |
+
a plugin or theme chooses to register its namespace with the core REST API, its endpoints will - by default - by
|
50 |
+
disabled so long as this plugin is active. Namespaces and routes may be whitelisted via this plugin's Settings page.
|
51 |
|
52 |
== Screenshots ==
|
53 |
|
54 |
+
1. The JSON returned by a website with the API disabled via filters (WP versions 4.4, 4.5, 4.6)
|
55 |
+
2. The JSON returned by a website with the API disabled via authentication methods (WP versions 4.7+)
|
56 |
|
57 |
== Changelog ==
|
58 |
|
59 |
+
= 1.4 =
|
60 |
+
* Tested for WP v4.8
|
61 |
+
* Tested for PHP 5.3+
|
62 |
+
* Added settings screen
|
63 |
+
* Site Admins may now whitelist routes that they wish to allow unauthenticated access to
|
64 |
+
* Added `dra_allow_rest_api` filter to the is_logged_in() check, so developers can get more granular with permissions
|
65 |
+
* Props to @tangrufus for all of the help that went into this release
|
66 |
+
|
67 |
= 1.3 =
|
68 |
* Tested for WP v4.7
|
69 |
* Adding new functionality to raise authentication errors in 4.7+ for non-logged-in users
|
80 |
|
81 |
== Upgrade Notice ==
|
82 |
|
83 |
+
= 1.4 =
|
84 |
+
* Adds support to optionally whitelist individual routes of the REST API via Settings page.
|
85 |
|
86 |
= 1.1 =
|
87 |
* Now with support for the 2.0 beta API filters
|
88 |
|
89 |
= 1.0 =
|
90 |
+
* Initial Release
|
uninstall.php
ADDED
@@ -0,0 +1,18 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<?php
|
2 |
+
/**
|
3 |
+
* This file magically runs when the plugin is deleted
|
4 |
+
*
|
5 |
+
* Direct from https://developer.wordpress.org/plugins/the-basics/uninstall-methods/
|
6 |
+
*/
|
7 |
+
|
8 |
+
// if uninstall.php is not called by WordPress, die
|
9 |
+
if ( ! defined( 'WP_UNINSTALL_PLUGIN' ) ) {
|
10 |
+
die;
|
11 |
+
}
|
12 |
+
|
13 |
+
$option_name = 'DRA_route_whitelist';
|
14 |
+
|
15 |
+
delete_option( $option_name );
|
16 |
+
|
17 |
+
// for site options in Multisite
|
18 |
+
delete_site_option( $option_name );
|