Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: Custom Results REST API endpoints have no permissions check #3001

Closed
JakePT opened this issue Sep 15, 2022 · 0 comments · Fixed by #3004
Closed

BUG: Custom Results REST API endpoints have no permissions check #3001

JakePT opened this issue Sep 15, 2022 · 0 comments · Fixed by #3004
Assignees
@felipeelia
Labels
bug Something isn't working good first issue module:custom-search-results Issues related to the Custom Search Results functionality
Milestone
4.3.1

Comments

@JakePT
Copy link
Contributor

JakePT commented Sep 15, 2022

Describe the bug
The Custom Results admin page is powered by two REST API endpoints, pointer_search and pointer_preview. These are used for finding posts when displaying the default search results and when searching for new posts to add. Both of these endpoints have no permissions check even though they're only used in the admin.

They likely lack a permissions check because all they are doing is performing a WP_Query search on public content, but restricted or protected content could still be included if these endpoints were not properly accounted for when restricting content. I'm aware of at least one site where this has been an issue.

Steps to Reproduce

  1. While signed out, access the /wp-json/elasticpress/v1/pointer_search and /wp-json/elasticpress/v1/pointer_search endpoints.
  2. They will return a successful response even if not signed in.

Expected behavior
Ideally these endpoints should require the same permissions as the Custom Results admin screen so that they are not exposed publicly.

Additional context
Props @PypWalters
@JakePT JakePT added bug Something isn't working good first issue module:custom-search-results Issues related to the Custom Search Results functionality labels Sep 15, 2022
@JakePT JakePT added this to the 4.3.1 milestone Sep 15, 2022
@JakePT JakePT self-assigned this Sep 16, 2022
@JakePT JakePT mentioned this issue Sep 16, 2022
Merged
4 tasks
@JakePT JakePT assigned felipeelia and unassigned JakePT Sep 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@felipeelia felipeelia

Labels
bug Something isn't working good first issue module:custom-search-results Issues related to the Custom Search Results functionality
Projects
None yet
Milestone
4.3.1
Development

Successfully merging a pull request may close this issue.

Add capability check to Custom Results API endpoints. 10up/ElasticPress
2 participants
@felipeelia @JakePT