Merge branch 'fix-get-requests' into develop

Author: valendesigns

tests/wp-includes/rest-api/auth/class-test-wp-rest-token.php

@@ -370,6 +370,12 @@ public function test_require_token() {
 		$_SERVER['REQUEST_URI'] = $token_uri;
 		$this->assertFalse( $this->token->require_token() );
 
+		// Some GET requests require authentication to work correctly (i.e. – fetching draft posts)
+		// If a token is present, treat it as though it's required.
+		$_SERVER['HTTP_AUTHORIZATION'] = 'Bearer: Test';
+		$this->assertTrue( $this->token->require_token() );
+		unset( $_SERVER['HTTP_AUTHORIZATION'] );
+
 		// Don't require authentication to generate a token.
 		$_SERVER['REQUEST_METHOD'] = 'POST';
 		$this->assertFalse( $this->token->require_token() );
@@ -382,7 +388,7 @@ public function test_require_token() {
 		$_SERVER['REQUEST_METHOD'] = 'GET';
 		add_filter( 'rest_authentication_require_token', '__return_true' );
 		$this->assertTrue( $this->token->require_token() );
-		add_filter( 'rest_authentication_require_token', '__return_true' );
+		remove_filter( 'rest_authentication_require_token', '__return_true' );
 
 		unset( $_SERVER['REQUEST_METHOD'] );
 		unset( $_SERVER['REQUEST_URI'] );

wp-includes/rest-api/auth/class-wp-rest-token.php

@@ -374,8 +374,14 @@ public function require_token() {
 			$require_token = false;
 		}
 
-		// GET requests do not need to be authenticated.
-		if ( 'GET' === $request_method ) {
+		/**
+		 * GET requests do not typically require authentication, but if the
+		 * Authorization header is provided, we will use it. WHat's happening
+		 * here is that `WP_REST_Token::get_auth_header` returns the bearer
+		 * token or a `WP_Error`. So if we have an error then we can safely skip
+		 * the GET request.
+		 */
+		if ( 'GET' === $request_method && is_wp_error( $this->get_auth_header() ) ) {
 			$require_token = false;
 		}