Allow for flexibility and including /wp-json in the allow/deny lists

alleyinteractive · Jan 12, 2024 · 61a3549 · 61a3549
1 parent 7b40cfe
commit 61a3549
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ All notable changes to `wp-rest-guard` will be documented in this file.
 ## v1.0.4 - 2024-01-12
 
 - Fixing an issue splitting lines by `\n` instead of `\r\n` on Windows.
+- Allow `/wp-json/` to be included in the allow/deny lists.
 
 ## v1.0.3 - 2023-08-28
 

diff --git a/plugin.php b/plugin.php
@@ -92,8 +92,6 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques
 		return true;
 	}
 
-	// todo: check settings.
-
 	/**
 	 * Filter the allowlist for allowed anonymous requests.
 	 *
@@ -108,6 +106,11 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques
 		}
 
 		foreach ( $allowlist as $allowlist_endpoint ) {
+			// Strip off /wp-json from the beginning of the endpoint if it was included.
+			if ( 0 === strpos( $allowlist_endpoint, '/wp-json' ) ) {
+				$allowlist_endpoint = substr( $allowlist_endpoint, 8 );
+			}
+
 			if ( preg_match( '/' . str_replace( '\*', '.*', preg_quote( $allowlist_endpoint, '/' ) ) . '/', $endpoint ) ) {
 				return false;
 			}
@@ -131,6 +134,11 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques
 		}
 
 		foreach ( $denylist as $denylist_endpoint ) {
+			// Strip off /wp-json from the beginning of the endpoint if it was included.
+			if ( 0 === strpos( $denylist_endpoint, '/wp-json' ) ) {
+				$denylist_endpoint = substr( $denylist_endpoint, 8 );
+			}
+
 			if ( preg_match( '/' . str_replace( '\*', '.*', preg_quote( $denylist_endpoint, '/' ) ) . '/', $endpoint ) ) {
 				return true;
 			}