I want to hide the definition of endpoints in a WordPress rest api... in the case of https://www.wpwhitesecurity.com/wp-json I want to return a 404 or an empty array, but not the list of endpoints of the site.
Some idea?
Thanks!
From version 4.4.0 exists the hook rest_index, the documentation in https://developer.wordpress.org/reference/hooks/rest_index/ describes :
This contains the data describing the API. This includes information
about supported authentication schemes, supported namespaces, routes
available on the API, and a small amount of data about the site.
The next code is working perfectly as I needed :
function my_site_rest_index( $response ){
return array();
}
add_filter('rest_index', 'my_site_rest_index');
function chuck_disable_rest_endpoints( $access ) {
if( ! is_user_logged_in() ) {
return new WP_Error( 'rest_cannot_access', __( 'Only logged users are able to call REST API.', 'disable-json-api' ), array( 'status' => rest_authorization_required_code() ) );
}return $access;
}
add_filter( 'rest_authentication_errors', 'chuck_disable_rest_endpoints' );
This will return that only logged users can access to API
Related
Wordpress has an awesome REST API interface.
https://developer.wordpress.org/rest-api/reference/
But the content in wp_options table seems to be missing REST support. Is there a way to access the content in wp_otions table as REST endpoint via plugins?. Thanks.
There is the settings endpoint, but it only contains a surprisingly limited amount of them it seems.
This is something you could very easily do yourself though. I'm not sure if any plugins do it, but I also wouldn't recommend a plugin for something that can be done with less than 20 lines of code.
You just need to register a route using register_rest_route() on the rest_api_init hook, and pass it a callback function. You can drop code like this in your functions.php file or create a Must Use Plugin and drop the code in there, either way.
add_action( 'rest_api_init', function () {
register_rest_route( 'my-custom-route/v1', '/opt/', array(
'methods' => 'GET',
'callback' => 'get_rest_option',
//'permission_callback' => function () {
// return current_user_can( 'administrator' );
//}
) );
} );
function get_rest_option( $data ) {
return get_option( $data['option_name'] );
}
The above will give you access to whatever option you want by accessing:
/wp-json/my-custom-route/v1/opt/?option_name=siteurl
I went ahead and dropped an example on a site of mine:
https://xhynk.com/content-mask/wp-json/my-custom-route/v1/opt/?option_name=blogname
https://xhynk.com/content-mask/wp-json/my-custom-route/v1/opt/?option_name=siteurl
However, this will potentially expose anything in your options table. I went ahead and commented out the permission_callback so that any person, signed in or not, can access it. However, I also added a check like this:
function get_rest_option( $data ) {
if( $data['option_name'] === 'siteurl' || $data['option_name'] === 'blogname' ){
return get_option( $data['option_name'] );
} else {
return 'Unauthorized. Use `siteurl` or `blogname`';
}
}
You can see that home will fail: https://xhynk.com/content-mask/wp-json/my-custom-route/v1/opt/?option_name=home
I would recommend adding in a valid array of options, or using the permission_callback in order to lock it down a bit. You could even have an access key instead, and keep that key secret. Either way, be aware of the security implications of exposing your entire wp_options table, and take some sort of preventative measure!
I have setup a fresh docker container with Wordpress 5.0.3 and the latest WC and WC Eway plugin (WooCommerce eWAY Gateway).
Created a store with some products, hooked up my Eway sandbox environment, enabled Save Cards (which would enable the token) and created an order.
After checking the post_meta in my DB for the order, I didn't see a _eway_token_customer_id field. While being logged in as a customer, I tried again and with the new order I still do not get a token.
The reason for this tests is that I got this strange behaviour in my real, new website, where the first order with a NEW customer, doesn't result in a token.
However, when I create a second order whilst being logged in, I do get a _eway_token_customer_id value within the order_meta.
It is imperative for me to get that token with the first order, because after that I will auto renew the product using the tokenp ayment option.
Debugging this issue is hell, and I find it very disconcerting that on my fresh WP installation I get no token at all.
Is there anyone that has a bright idea?
**update
After some digging around in the Eway Plugin, I found out that the first time I do an order, the function request_access_code() from the class WC_Gateway_EWAY is checking if there is a token in the database for this user.
The function body:
protected function request_access_code( $order ) {
$token_payment = $this->get_token_customer_id( $order );
if ( $token_payment && 'new' === $token_payment ) {
$result = json_decode( $this->get_api()->request_access_code( $order, 'TokenPayment', 'Recurring' ) );
} elseif ( 0 === $order->get_total() && 'shop_subscription' === ( version_compare( WC_VERSION, '3.0', '<' ) ? $order->order_type : $order->get_type() ) ) {
$result = json_decode( $this->get_api()->request_access_code( $order, 'CreateTokenCustomer', 'Recurring' ) );
} else {
$result = json_decode( $this->get_api()->request_access_code( $order ) );
}
if ( isset( $result->Errors ) && ! is_null( $result->Errors ) ) {
throw new Exception( $this->response_message_lookup( $result->Errors ) );
}
return $result;
}
The function handles three possible outcomes:
1) new customer: results in calling `$this->get_api()->request_access_code( $order, 'TokenPayment', 'Recurring' )` <-- this is the one we are after!
2) shop_subscription: calls `$this->get_api()->request_access_code( $order, 'CreateTokenCustomer', 'Recurring' )`
3) else..: calls `$this->get_api()->request_access_code( $order )`
What is happening during debugging, is that the $token_payment variable has the value of an empty string for a new customer, instead of new.
So I will attempt to fix this, either via a filter/action hook, or figure out why this is happening.
When I forced the function the always use the first if block, I got my token. :)
**Update 2:
I tested with an existing user account, created a new order.
When I look in the post_meta table:
Voila, the new value is present.
However, when I am not logged in and I create an account, the new value is not added and that is where it goes wrong.
A temp fix would be to use a hook and add the new value to the order so that when get_token_customer_id is called it retrieves a new value and not an empty string.
I think this is a bug, since this value should be added. It explains why the second transactions get the token but not the first.
If only Woocommerce Eway plugin had a git repo.... I could flag an issue or fork it.
***Solution without hack
Added this to my plugin (or functions.php if you like):
add_action( 'woocommerce_checkout_order_processed', function( $order_id, $posted_data, $order ) {
update_post_meta( $order_id, '_eway_token_customer_id', 'new' );
}, 10, 3);
This will add the new value when you checkout with a non-existent user.
The token was added nicely after adding my creditcard details.
The matter of the fact stays that the plugin still has a bug, which you can work around.
I have built a Wordpress plugin that among other things, creates several Woocommerce Webhooks upon activation. This is done using internal API classes and functions, as per below:
function createWebhook($userID,$topic,$secret,$deliveryURL,$status)
{
$webhook = new WC_Webhook();
$webhook->set_user_id($userID); // User ID used while generating the webhook payload.
$webhook->set_topic( $topic ); // Event used to trigger a webhook.
$webhook->set_secret( $secret ); // Secret to validate webhook when received.
$webhook->set_delivery_url( $deliveryURL ); // URL where webhook should be sent.
$webhook->set_status( $status ); // Webhook status.
$save = $webhook->save();
return $save;
}
This works well.
What I want to be able to do is remove these Webhooks upon deactivation of the plugin. Is there any way to fetch the Woocommerce Webhooks via the internal Wordpress or Woocommerce API, so I can loop through and remove the relevant ones?
I would just remove all Webhooks where the delivery URL has a domain of xyz.com. This part is straight-forward, I just don't know how to fetch the Webhooks.
I don't want to use the external Woocommerce API, which requires an API key and HTTP requests.
Thanks
I ended up querying the database to get the webhooks, which looks to be working well. I'm not sure there's any other way. Please let me know if there is!
global $wpdb;
$results = $wpdb->get_results( "SELECT webhook_id, delivery_url FROM {$wpdb->prefix}wc_webhooks" );
foreach($results as $result)
{
if(strpos($result->delivery_url, 'domain.com') !== false)
{
$wh = new WC_Webhook();
$wh->set_id($result->webhook_id);
$wh->delete();
}
}
#greg's answer points you in the right direction, but the returned data is just an array of ID's for each webhook, to get more data you need to parse those ID's into webhook objects - which has protected props, but public getter methods, like so:
$data_store = \WC_Data_Store::load( 'webhook' );
$webhooks = $data_store->search_webhooks([ 'status' => 'active', 'paginate' => true ] );
$_items = array_map( 'wc_get_webhook', $webhooks->webhooks );
$_array = [];
foreach( $_items as $_item ){
$_array[] = [
'id' => $_item->get_id(),
'name' => $_item->get_name(),
'topic' => $_item->get_topic(),
'delivery_url' => $_item->get_delivery_url(),
'secret' => $_item->get_secret(),
];
}
You can get an array of all webhook IDs with the following:
$data_store = WC_Data_Store::load( 'webhook' );
$webhooks = $data_store->search_webhooks();
That's what WooCommerce does when building the table list:
https://github.com/woocommerce/woocommerce/blob/master/includes/admin/class-wc-admin-webhooks-table-list.php
So I'm trying to work with the WP REST API. Using latest version of WP. I am using this in an external application and testing with Postman.
This is what I want to do:
display custom meta fields in the GET posts request
GET all posts (no limit)
create / update / delete (multiple) meta fields in one API request
Are these things possible with WP REST API? If so, can anyone share some examples?
I know all these work very well with WooCommerce REST API.
The better way is to use a custom endpoint to achieve this. You must create your own plugin for this...
//register different functions for different methods, use parameters in url for GET calls
register_rest_route('plugin_name', 'your_endpoint', array(
array('methods' => 'POST',
'callback' => 'magic_function',
))
);
function magic_function( $request ) {
//You can filter the query to get all posts (rest_{$this->post_type}_query)
add_filter('rest_post_query','my_custom_query', 10, 3);
$custom_request = new WP_REST_Request( 'GET', '/wp/v2/post');
$response= rest_do_request( $custom_request );
$response->data['meta_field'] = get_post_meta($response->data['id'], 'meta_field',true);
return new WP_REST_Response($response->data);
}
function my_custom_query($args, $request){
//returns all posts in request...
$args['numberposts'] = -1;
return $args;
}
I'm trying to load a RSS feed with Wordpress's built-in SimplePie.
include_once(ABSPATH . WPINC . '/feed.php');
$rssURL = 'http://missionstkitts.blogspot.com//feeds/posts/default';
$rss = fetch_feed($rssURL);
To debug, I used print_r($rss); and I get a WordPress error object:
WP_Error Object
(
[errors] => Array
(
[simplepie-error] => Array
(
[0] => WP HTTP Error: A valid URL was not provided.
)
)
[error_data] => Array
(
)
)
But, frustratingly, if I print $rssURL and then copy and paste it it goes straight to the correct feed. What is going on?
Since this is the first hit in google, probably worth me adding this possible solution:
For our instance - an intranet site, pulling an rss feed from another internal page, which in-turn resolves to an RFC1918 private address the feed was being blocked by Wordpress's URL checker for security reasons.
The easiest fix in my instance was to add the following to functions.php, but this does have security implications so be sure you understand it before you add it:
add_filter( 'http_request_args', function( $args ) {
$args['reject_unsafe_urls'] = false;
return $args;
} );
Further discussion and more information at - https://core.trac.wordpress.org/ticket/24646
By adding preg_match for specific urls we can minimize the amount of parsed unsafed urls:
function http_request_local( $args, $url ) {
if ( preg_match('/xml|rss|feed/', $url) ){
$args['reject_unsafe_urls'] = false;
}
return $args;
}
add_filter( 'http_request_args', 'http_request_local', 5, 2 );
So, while the above answers work, I think that there's a way to do this that is better to make sure that you're limiting the scope of where you're making the URL request to instead of allowing everything to go. So I'm proving the following information to anyone who stumbles across this just in case it helps.
This answer is useful if the resulting calls are to internal servers cross-communicating on private IPs but are still publicly accessible.
The snippet below is to be run on the site that's calling the RSS feed. The site that is providing the feed does not need this.
add_filter('http_request_host_is_external', function($bool, $host, $url){
if($url === 'https://www.example.com/news/feed/' && $host === 'www.example.com'){
return true;
}
}, 10, 3);