Set permission_callback for all Rest API endpoints

aatanasovdev · aatanasovdev · commit e860e00512e4 · 2026-02-02T10:01:35.000+02:00
diff --git a/php/class-admin.php b/php/class-admin.php
@@ -108,9 +108,10 @@ public function __construct( Plugin $plugin ) {
 	public function rest_endpoints( $endpoints ) {
 
 		$endpoints['dismiss_notice'] = array(
-			'method'   => WP_REST_Server::CREATABLE,
-			'callback' => array( $this, 'rest_dismiss_notice' ),
-			'args'     => array(),
+			'method'              => WP_REST_Server::CREATABLE,
+			'callback'            => array( $this, 'rest_dismiss_notice' ),
+			'args'                => array(),
+			'permission_callback' => array( 'Cloudinary\REST_API', 'validate_request' ),
 		);
 
 		$endpoints['save_settings'] = array(
diff --git a/php/class-cache.php b/php/class-cache.php
@@ -352,9 +352,11 @@ public function rest_endpoints( $endpoints ) {
 			'args'                => array(),
 		);
 		$endpoints['upload_cache']        = array(
-			'method'   => \WP_REST_Server::CREATABLE,
-			'callback' => array( $this, 'rest_upload_cache' ),
-			'args'     => array(),
+			'method'              => \WP_REST_Server::CREATABLE,
+			'callback'            => array( $this, 'rest_upload_cache' ),
+			'permission_callback' => array( 'Cloudinary\REST_API', 'validate_request' ),
+			'args'                => array(),
+
 		);
 
 		return $endpoints;
diff --git a/php/class-connect.php b/php/class-connect.php
@@ -129,12 +129,13 @@ public function rest_endpoints( $endpoints ) {
 			'method'              => WP_REST_Server::CREATABLE,
 			'callback'            => array( $this, 'rest_save_wizard' ),
 			'args'                => array(),
-			'permission_callback' => array( 'Cloudinary\REST_API', 'rest_can_connect' ),
+			'permission_callback' => array( 'Cloudinary\REST_API', 'validate_request' ),
 		);
 		$endpoints['test_rest_api']   = array(
-			'method'   => WP_REST_Server::READABLE,
-			'callback' => array( $this, 'rest_test_rest_api_connectivity' ),
-			'args'     => array(),
+			'method'              => WP_REST_Server::READABLE,
+			'callback'            => array( $this, 'rest_test_rest_api_connectivity' ),
+			'args'                => array(),
+			'permission_callback' => array( 'Cloudinary\REST_API', 'allow_public_health_check' ),
 		);
 
 		return $endpoints;
diff --git a/php/class-cron.php b/php/class-cron.php
@@ -187,12 +187,12 @@ public function rest_endpoints( $endpoints ) {
 		$endpoints['cron_watch']   = array(
 			'method'              => \WP_REST_Server::READABLE,
 			'callback'            => array( $this, 'daemon_watcher' ),
-			'permission_callback' => '__return_true',
+			'permission_callback' => array( 'Cloudinary\REST_API', 'rest_can_connect' ),
 		);
 		$endpoints['cron_process'] = array(
 			'method'              => \WP_REST_Server::READABLE,
 			'callback'            => array( $this, 'run_queue' ),
-			'permission_callback' => '__return_true',
+			'permission_callback' => array( 'Cloudinary\REST_API', 'rest_can_connect' ),
 		);
 
 		return $endpoints;
diff --git a/php/class-rest-api.php b/php/class-rest-api.php
@@ -51,13 +51,14 @@ public function rest_api_init() {
 			'method'              => \WP_REST_Server::READABLE,
 			'callback'            => __return_empty_array(),
 			'args'                => array(),
-			'permission_callback' => '__return_true',
+			'permission_callback' => array( __CLASS__, 'validate_request' ),
 		);
 
 		$this->endpoints = apply_filters( 'cloudinary_api_rest_endpoints', array() );
 
 		foreach ( $this->endpoints as $route => $endpoint ) {
 			$endpoint = wp_parse_args( $endpoint, $defaults );
+
 			register_rest_route(
 				static::BASE,
 				$route,
@@ -138,4 +139,16 @@ public function background_request( $endpoint, $params = array(), $method = 'POS
 	public static function validate_request( $request ) {
 		return wp_verify_nonce( $request->get_header( 'x_wp_nonce' ), self::NONCE_KEY );
 	}
+
+	/**
+	 * Permission callback for public health check endpoints.
+	 *
+	 * Intentionally allows unauthenticated access for REST API connectivity testing.
+	 * This endpoint is read-only and returns no sensitive data.
+	 *
+	 * @return bool Always returns true to allow public access.
+	 */
+	public static function allow_public_health_check() {
+		return true;
+	}
 }
diff --git a/php/sync/class-push-sync.php b/php/sync/class-push-sync.php
@@ -124,14 +124,16 @@ public function rest_endpoints( $endpoints ) {
 		);
 
 		$endpoints['queue'] = array(
-			'method'   => \WP_REST_Server::CREATABLE,
-			'callback' => array( $this, 'process_queue' ),
-			'args'     => array(),
+			'method'              => \WP_REST_Server::CREATABLE,
+			'callback'            => array( $this, 'process_queue' ),
+			'args'                => array(),
+			'permission_callback' => array( 'Cloudinary\REST_API', 'validate_request' ),
 		);
 		$endpoints['stats'] = array(
-			'method'   => \WP_REST_Server::READABLE,
-			'callback' => array( $this->queue, 'get_total_synced_media' ),
-			'args'     => array(),
+			'method'              => \WP_REST_Server::READABLE,
+			'callback'            => array( $this->queue, 'get_total_synced_media' ),
+			'args'                => array(),
+			'permission_callback' => array( 'Cloudinary\REST_API', 'validate_request' ),
 		);
 
 		return $endpoints;
diff --git a/php/ui/component/class-notice.php b/php/ui/component/class-notice.php
@@ -117,7 +117,7 @@ public function render( $echo = false ) { // phpcs:ignore Universal.NamingConven
 		if ( $this->setting->get_option_parent()->has_param( 'dismissible_notice' ) && ! $this->setting->get_option_parent()->has_param( 'notice_scripts' ) ) {
 			$args = array(
 				'url'   => Utils::rest_url( REST_API::BASE . '/dismiss_notice' ),
-				'nonce' => wp_create_nonce( 'wp_rest' ),
+				'nonce' => wp_create_nonce( REST_API::NONCE_KEY ),
 			);
 			wp_add_inline_script( 'cloudinary', 'var CLDIS = ' . wp_json_encode( $args ), 'before' );
 			$this->setting->get_option_parent()->set_param( 'notice_scripts', true ); // Prevent repeated rendering.
