block-options icon indicating copy to clipboard operation
block-options copied to clipboard
verified publisher icon CakeWP

ACF REST route

Open Rahe opened this issue 5 years ago • 0 comments

Hello,

The plugin is registering an ACF route for getting acf key => label in https://github.com/phpbits/block-options/blob/master/includes/class-editorskit-acf-support.php. But this route is only protected by the logged_in function. If I am just logged in as a subscriber I can access all this data even if not able to edit any post.

I think it's important to check a capability like "edit_post" and like the core using the "permission_callback" argument and WP_REST_Server::READABLE for the method argument. https://github.com/WordPress/WordPress/blob/master/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php#L64

Nicolas,

Rahe avatar Jun 12 '20 09:06 Rahe