diff --git a/CHANGELOG.md b/CHANGELOG.md index 5abc25e0..1c2a7bf6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog +## 1.9.7 +* Adds a capability check to the preview, authors and hashtag endpoint to prevent unauthenticated calls (#685) + ## 1.9.6 * Revert #597, restoring `get_fields_for_render()` that is being used in some implementations (#639) diff --git a/README.md b/README.md index 9069a8c5..f7fc29f3 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ * Requires at least: 4.4 * Requires PHP: 5.6 * Tested up to: 4.9.8 -* Stable tag: 1.9.6 +* Stable tag: 1.9.7 * License: GPLv2 or later * License URI: http://www.gnu.org/licenses/gpl-2.0.html diff --git a/classes/class-wpcom-liveblog-rest-api.php b/classes/class-wpcom-liveblog-rest-api.php index acb493bb..bb1480fe 100644 --- a/classes/class-wpcom-liveblog-rest-api.php +++ b/classes/class-wpcom-liveblog-rest-api.php @@ -180,12 +180,12 @@ public static function register_routes() { array( 'methods' => WP_REST_Server::CREATABLE, 'callback' => array( __CLASS__, 'format_preview_entry' ), + 'permission_callback' => array( 'WPCOM_Liveblog', 'current_user_can_edit_liveblog' ), 'args' => array( 'entry_content' => array( 'required' => true, ), ), - 'permission_callback' => '__return_true', ) ); @@ -205,12 +205,12 @@ public static function register_routes() { array( 'methods' => WP_REST_Server::READABLE, 'callback' => array( __CLASS__, 'get_authors' ), + 'permission_callback' => array( 'WPCOM_Liveblog', 'current_user_can_edit_liveblog' ), 'args' => array( 'term' => array( 'required' => false, ), ), - 'permission_callback' => '__return_true', ) ); @@ -230,12 +230,12 @@ public static function register_routes() { array( 'methods' => WP_REST_Server::READABLE, 'callback' => array( __CLASS__, 'get_hashtag_terms' ), + 'permission_callback' => array( 'WPCOM_Liveblog', 'current_user_can_edit_liveblog' ), 'args' => array( 'term' => array( 'required' => false, ), ), - 'permission_callback' => '__return_true', ) ); diff --git a/liveblog.php b/liveblog.php index 96eb957e..843ecd82 100644 --- a/liveblog.php +++ b/liveblog.php @@ -4,7 +4,7 @@ * Plugin Name: Liveblog * Plugin URI: http://wordpress.org/extend/plugins/liveblog/ * Description: Empowers website owners to provide rich and engaging live event coverage to a large, distributed audience. - * Version: 1.9.6 + * Version: 1.9.7 * Author: WordPress.com VIP, Big Bite Creative and contributors * Author URI: https://github.com/Automattic/liveblog/graphs/contributors * Text Domain: liveblog @@ -26,7 +26,7 @@ final class WPCOM_Liveblog { /** Constants *************************************************************/ - const VERSION = '1.9.6'; + const VERSION = '1.9.7'; const REWRITES_VERSION = 1; const MIN_WP_VERSION = '4.4'; const MIN_WP_REST_API_VERSION = '4.4'; @@ -917,6 +917,8 @@ public static function flatten_entries( $entries ) { } public static function ajax_preview_entry() { + self::ajax_current_user_can_edit_liveblog(); + $entry_content = isset( $_REQUEST['entry_content'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['entry_content'] ) ) : ''; // input var ok $entry_content = self::format_preview_entry( $entry_content ); diff --git a/readme.txt b/readme.txt index 524bd5bd..02bfa7b2 100644 --- a/readme.txt +++ b/readme.txt @@ -4,7 +4,7 @@ Tags: liveblog Requires at least: 4.4 Requires PHP: 5.6 Tested up to: 5.8 -Stable tag: 1.9.6 +Stable tag: 1.9.7 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html