-->
  • WORDPRESS: rest_api_init - one sexy hook



    After years of Wordpress plugin practices, some old code finally caught up to me. Somewhere, out there, some big shot firewall is telling me:

    "Halt. You are not allowed to GET that crap there. Not unless you are whitelisted."

    "Whitelisted?" I thought. "Ain't that some racist shit! You mean I gotta put on a fucking white face to post my own data to my own goddamn site? The fuck kind of bullshit is this?"

    "Rules are rules bitch, no posting to the backdoor, unless you are whitelisted! Now get the fuck out." The firewall responded, then promptly went on about its business.

    Needless to say I was taken aback. Suddenly, I can't hammer my backdoor with payloads of data because of rules. Shit.

    Enter: rest_api_init

    An' she's like. "I got your back homie"

    An' I'm like. "Word? The hell you go do, you fine thing?"

    Cause you know, I've been watching that hook for a long time, just didn't have a reason to call her up.

    An' she's like: "We gonna convert them jacked up backdoor Classes you got going on, into secure endpoints 'n shit"

    An' I'm like "Word? Show me."

    So I'm watching this bitch manhandle one of my Classes like I ain't never seen before. She stroked it, massaged it, shifted some shit around and voila, my jacked up Class is now a stunningly beautiful secure wordpress endpoint.

    Now I'm looking at this bad boy. I see this add action in my construct.


    function __construct() {
    add_action( 'rest_api_init', function () {
    register_rest_route( $this->plugin_slug.'/v1','content/details' ,array(
    'methods'   =>  'POST',
    'callback'  =>  array($this, 'init'),
    'permission_callback' => function() {
    return current_user_can('edit_posts');
    }
    ));
    });
    }


    An' I'm like, "Cool."

    All I had left to do was convert my javascript gets, and posts to ajax with a beforeSend and a nonce wrapped in a sexy promise, 'cause I do love me some promises.

    new Promise(function (resolve, reject)
    {
    let url = dis.site_url + "/wp-json/dis/v1/content/details/";
    jQuery.ajax({
    type: "POST",
    url: url,
    data: {},
    beforeSend: function ( xhr ) { xhr.setRequestHeader( 'X-WP-Nonce', dis.nonce ); },
    })
    .done(function (data) { resolve(data); })
    .fail(function (xhr,textStatus,errorThrown) { reject(errorThrown);});
    })
    .then(
    function (results) { do_something_with( results); },
    function (error) { console.log(error); }
    );


    Then require that mofo in my main function.

    Bitch buggered off before I could say thank you, but it's all good though.

    I don't have to put on a whiteface to post my data anymore.

    So fuck off firewall. At least for today.

  • You might also like