Support » Plugin: WP REST Cache » context=edit accessible for not logged in users

  • Resolved jhotadhari



    once a request with context=edit is cached, this response will be served to all visitors/users, non-logged-in, logged-in or logged-in but wrong capabilities.

    1. I set up a new wp site and install and activate wp-rest-cache.
    2. To trigger some context=edit requests: I open the editor to edit the sample post. And open the category select.
    Eg /index.php?_locale=user&context=edit&rest_route=%2Fwp%2Fv2%2Ftaxonomies%2Fcategory got cached.
    3. Now in another browser/session, not logged in: I request same cached url. -> I get full response. Expected result would be an error Sorry, you are not allowed to edit posts in this post type.

    4. if I empty the cache and make the first request not logged in, I’ll get the expected permission error.
    fortunately the permission error is not cached so the editor will work. but we are back at step two.

    The rest_controller::get_items_permissions_check got skipped.

    I tried to edit WP_Rest_Cache_Plugin\Includes\API\Endpoint_Api::skip_caching:
    It is to early to check for post_type capabilities, because global $wp_post_types === NULL.
    So, at least at this early point, we can’t utilize the rest_controller::get_items_permissions_check.

    WP_Rest_Cache_Plugin\Includes\API\Endpoint_Api::get_api_cache is to early as well, global $wp_post_types === NULL.

    waiting for global $wp_post_type !== NULL is not efficient.

    One instant easy solution would be skipping all context=edit requests.
    Better solution maybe: caching results of permissions_check methods per user name. Can get User name from $_COOKIES at this early point.

    alright, now breakfast. thanks a lot

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Richard Korthuis



    Sorry for the late reply. I have investigated the issue and you are absolutely right. Those calls should not be cached. We will fix this in our next update. We did not do any of the checks you suggested, but we checked for the existence of the X_WP_Nonce request header. Those are authenticated calls and can not be cached when there is no authentication on the cached response.

    Plugin Author Richard Korthuis


    Hi @jhotadhari

    We just released a new version of our plugin which fixes this issue.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘context=edit accessible for not logged in users’ is closed to new replies.