permission_callback has no effect
WP version is 5.5.3
I have 3 API routes set in a plugin that is used in an admin dashboard page. One route is meant to be used publicly.
I have two very curious issues happening:
- My 3 admin-centric routes do not specify
permission_callback. I should be getting notices but I do not when the docs and WP core functions say it will throw adoing_it_wrongerror. - My 4th public route does have
'permission_callback' = '__return_true'set. I receive arest_not_logged_inerror code.
class My_Plugin
{
public function __construct()
{
add_action( 'rest_api_init', [ $this, 'register_routes' ] );
}
public function register_routes(): void
{
register_rest_route('my-api-route', '/uri', [
'methods' = WP_REST_Server::READABLE,
'callback' = [$this, 'api_get_available_stuff'],
]);
register_rest_route('my-api-route', /uri/(?Pparam[a-zA-Z0-9-]+), [
'methods' = WP_REST_Server::READABLE,
'callback' = [$this, 'api_get_specific_stuff'],
]);
register_rest_route('my-api-route', /uri/(?Pparam[0-9-]+), [
'methods' = WP_REST_Server::EDITABLE,
'callback' = [$this, 'api_update_specific_stuff'],
]);
register_rest_route('my-api-route', /uri/(?Pparam[a-zA-Z0-9-]+)/load-more, [
'methods' = WP_REST_Server::READABLE,
'callback' = [$this, 'api_load_more_stuff'],
'permission_callback' = '__return_true',
]);
}
}
// header approach
$.ajax({
url: '/wp-json/my-api-route/uri/param/load-more',
method: 'GET',
headers: {
'X-WP-Nonce': '?php echo wp_create_nonce('wp_rest'); ?'
},
data: {
'max_items': 5,
'offset': 5 * current_count,
},
})
// _wpnonce approach
$.ajax({
url: '/wp-json/my-api-route/uri/param/load-more',
method: 'GET',
data: {
'_wpnonce': '?php echo wp_create_nonce('wp_rest'); ?',
'max_items': 5,
'offset': 5 * current_count,
},
})
My only conclusion could be that, despite seeing Version 5.5.3 in the bottom corner of WP Admin, I might not actually be on 5.5.3.
Topic nonce rest-api permissions Wordpress
Category Web