Created
October 29, 2019 08:21
-
-
Save wpmudev-sls/4269ed13aab99d0bf81deeb11a8170f0 to your computer and use it in GitHub Desktop.
[Defender Pro] - Bypass REST API auth for preset routes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* Plugin Name: [Defender Pro] - Bypass REST API auth for preset routes | |
* Plugin URI: https://premium.wpmudev.org/ | |
* Description: Bypass REST API auth for preset routes when Defender's security tweak "WordPress REST API" is resolved (as of 2.2.2) | |
* Author: Alessandro Kaounas @ WPMUDEV | |
* Author URI: https://premium.wpmudev.org/ | |
* License: GPLv2 or later | |
*/ | |
namespace WP_Defender\Module\Hardener\Component; | |
use Hammer\Helper\HTTP_Helper; | |
use WP_Defender\Module\Hardener\Model\Settings; | |
use WP_Defender\Module\Hardener\Rule; | |
if ( ! defined( 'ABSPATH' ) ) { | |
exit; | |
} | |
if ( ! class_exists( 'WPMUDEV_REST_API_Custom_Routes_Bypass' ) ) { | |
class WPMUDEV_REST_API_Custom_Routes_Bypass { | |
// Define here plugin routes to bypass authentication | |
private $routes = array( | |
// Contact Form 7 REST Route | |
'contact-form-7/v1/contact-forms' | |
); | |
private static $_instance = null; | |
public static function get_instance() { | |
if( is_null( self::$_instance ) ){ | |
self::$_instance = new WPMUDEV_REST_API_Custom_Routes_Bypass(); | |
} | |
return self::$_instance; | |
} | |
private function __construct() { | |
$this->init(); | |
} | |
private function init(){ | |
if( ! class_exists( 'WP_Defender' ) ){ | |
return; | |
} | |
add_filter( 'rest_authentication_errors', array( $this, 'wpmudev_rest_authentication_errors' ), 20, 1 ); | |
} | |
public function wpmudev_rest_authentication_errors(){ | |
if ( ! empty( $result ) ) { | |
return $result; | |
} | |
foreach( $this->routes as $route ){ | |
if ( stripos( $_SERVER['REQUEST_URI'], $route ) !== false ) { | |
return; | |
} | |
} | |
$mode = $this->getMiscData()['mode']; | |
if ( $mode == 'allow-auth' && ! is_user_logged_in() ) { | |
return new \WP_Error( 'rest_not_logged_in', __( 'The WordPress Rest API has been locked to authorized access only. Log in to use the API.', wp_defender()->domain ), array( 'status' => 401 ) ); | |
} | |
//delegate to other | |
return $result; | |
} | |
public function getMiscData() { | |
$data = Settings::instance()->getDValues( WP_Rest_API_Service::KEY ); | |
$mode = 'allow-all'; | |
if ( is_array( $data ) && isset( $data['mode'] ) && in_array( $data['mode'], [ 'allow-auth', 'block-all' ] ) ) { | |
$mode = $data['mode']; | |
} | |
return [ | |
'mode' => $mode | |
]; | |
} | |
} | |
add_action( 'plugins_loaded', function() { | |
return WPMUDEV_REST_API_Custom_Routes_Bypass::get_instance(); | |
} , 10 ); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment