REST API: Allow sidebars and their widgets to be public.

By default, only users with the `edit_theme_options` capability can access the sidebars and widgets REST API endpoints. In this commit, A new `show_in_rest` parameter is added to the `register_sidebar` function. When enabled, all users will be able to access that sidebar and any widgets belonging to that sidebar.

This commit reduces the `context` for a widget's `instance` information to only `edit`. This is to ensure that internal widget data is not inadvertently exposed to the public. A future ticket may expose additional APIs to allow widget authors to indicate that their instance data can be safely exposed. REST API consumers intending to access this `instance` information should take care to explicitly set the `context` parameter to `edit`.

Props spacedmonkey, zieladam.
Fixes #53915.


git-svn-id: https://develop.svn.wordpress.org/trunk@52016 602fd350-edb4-49c9-b593-d223f7449a82

Author: TimothyBJacobs

src/wp-includes/rest-api/endpoints/class-wp-rest-sidebars-controller.php

@@ -18,6 +18,14 @@
  */
 class WP_REST_Sidebars_Controller extends WP_REST_Controller {
 
+	/**
+	 * Tracks whether {@see retrieve_widgets()} has been called in the current request.
+	 *
+	 * @since 5.9.0
+	 * @var bool
+	 */
+	protected $widgets_retrieved = false;
+
 	/**
 	 * Sidebars controller constructor.
 	 *
@@ -86,6 +94,19 @@ public function register_routes() {
 	 * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
 	 */
 	public function get_items_permissions_check( $request ) {
+		$this->retrieve_widgets();
+		foreach ( wp_get_sidebars_widgets() as $id => $widgets ) {
+			$sidebar = $this->get_sidebar( $id );
+
+			if ( ! $sidebar ) {
+				continue;
+			}
+
+			if ( $this->check_read_permission( $sidebar ) ) {
+				return true;
+			}
+		}
+
 		return $this->do_permissions_check();
 	}
 
@@ -95,19 +116,25 @@ public function get_items_permissions_check( $request ) {
 	 * @since 5.8.0
 	 *
 	 * @param WP_REST_Request $request Full details about the request.
-	 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
+	 * @return WP_REST_Response Response object on success.
 	 */
 	public function get_items( $request ) {
-		retrieve_widgets();
+		$this->retrieve_widgets();
+
+		$data              = array();
+		$permissions_check = $this->do_permissions_check();
 
-		$data = array();
 		foreach ( wp_get_sidebars_widgets() as $id => $widgets ) {
 			$sidebar = $this->get_sidebar( $id );
 
 			if ( ! $sidebar ) {
 				continue;
 			}
 
+			if ( is_wp_error( $permissions_check ) && ! $this->check_read_permission( $sidebar ) ) {
+				continue;
+			}
+
 			$data[] = $this->prepare_response_for_collection(
 				$this->prepare_item_for_response( $sidebar, $request )
 			);
@@ -125,9 +152,28 @@ public function get_items( $request ) {
 	 * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
 	 */
 	public function get_item_permissions_check( $request ) {
+		$this->retrieve_widgets();
+
+		$sidebar = $this->get_sidebar( $request['id'] );
+		if ( $sidebar && $this->check_read_permission( $sidebar ) ) {
+			return true;
+		}
+
 		return $this->do_permissions_check();
 	}
 
+	/**
+	 * Checks if a sidebar can be read publicly.
+	 *
+	 * @since 5.9.0
+	 *
+	 * @param array $sidebar The registered sidebar configuration.
+	 * @return bool Whether the side can be read.
+	 */
+	protected function check_read_permission( $sidebar ) {
+		return ! empty( $sidebar['show_in_rest'] );
+	}
+
 	/**
 	 * Retrieves one sidebar from the collection.
 	 *
@@ -137,10 +183,9 @@ public function get_item_permissions_check( $request ) {
 	 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
 	 */
 	public function get_item( $request ) {
-		retrieve_widgets();
+		$this->retrieve_widgets();
 
 		$sidebar = $this->get_sidebar( $request['id'] );
-
 		if ( ! $sidebar ) {
 			return new WP_Error( 'rest_sidebar_not_found', __( 'No sidebar exists with that id.' ), array( 'status' => 404 ) );
 		}
@@ -234,28 +279,25 @@ protected function do_permissions_check() {
 	 *
 	 * @since 5.8.0
 	 *
-	 * @global array $wp_registered_sidebars The registered sidebars.
-	 *
 	 * @param string|int $id ID of the sidebar.
 	 * @return array|null The discovered sidebar, or null if it is not registered.
 	 */
 	protected function get_sidebar( $id ) {
-		global $wp_registered_sidebars;
-
-		foreach ( (array) $wp_registered_sidebars as $sidebar ) {
-			if ( $sidebar['id'] === $id ) {
-				return $sidebar;
-			}
-		}
+		return wp_get_sidebar( $id );
+	}
 
-		if ( 'wp_inactive_widgets' === $id ) {
-			return array(
-				'id'   => 'wp_inactive_widgets',
-				'name' => __( 'Inactive widgets' ),
-			);
+	/**
+	 * Looks for "lost" widgets once per request.
+	 *
+	 * @since 5.9.0
+	 *
+	 * @see retrieve_widgets()
+	 */
+	protected function retrieve_widgets() {
+		if ( ! $this->widgets_retrieved ) {
+			retrieve_widgets();
+			$this->widgets_retrieved = true;
 		}
-
-		return null;
 	}
 
 	/**

src/wp-includes/rest-api/endpoints/class-wp-rest-widgets-controller.php

@@ -16,6 +16,14 @@
  */
 class WP_REST_Widgets_Controller extends WP_REST_Controller {
 
+	/**
+	 * Tracks whether {@see retrieve_widgets()} has been called in the current request.
+	 *
+	 * @since 5.9.0
+	 * @var bool
+	 */
+	protected $widgets_retrieved = false;
+
 	/**
 	 * Widgets controller constructor.
 	 *
@@ -97,6 +105,17 @@ public function register_routes() {
 	 * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
 	 */
 	public function get_items_permissions_check( $request ) {
+		$this->retrieve_widgets();
+		if ( isset( $request['sidebar'] ) && $this->check_read_sidebar_permission( $request['sidebar'] ) ) {
+			return true;
+		}
+
+		foreach ( wp_get_sidebars_widgets() as $sidebar_id => $widget_ids ) {
+			if ( $this->check_read_sidebar_permission( $sidebar_id ) ) {
+				return true;
+			}
+		}
+
 		return $this->permissions_check( $request );
 	}
 
@@ -109,15 +128,20 @@ public function get_items_permissions_check( $request ) {
 	 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
 	 */
 	public function get_items( $request ) {
-		retrieve_widgets();
+		$this->retrieve_widgets();
 
-		$prepared = array();
+		$prepared          = array();
+		$permissions_check = $this->permissions_check( $request );
 
 		foreach ( wp_get_sidebars_widgets() as $sidebar_id => $widget_ids ) {
 			if ( isset( $request['sidebar'] ) && $sidebar_id !== $request['sidebar'] ) {
 				continue;
 			}
 
+			if ( is_wp_error( $permissions_check ) && ! $this->check_read_sidebar_permission( $sidebar_id ) ) {
+				continue;
+			}
+
 			foreach ( $widget_ids as $widget_id ) {
 				$response = $this->prepare_item_for_response( compact( 'sidebar_id', 'widget_id' ), $request );
 
@@ -139,9 +163,32 @@ public function get_items( $request ) {
 	 * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
 	 */
 	public function get_item_permissions_check( $request ) {
+		$this->retrieve_widgets();
+
+		$widget_id  = $request['id'];
+		$sidebar_id = wp_find_widgets_sidebar( $widget_id );
+
+		if ( $sidebar_id && $this->check_read_sidebar_permission( $sidebar_id ) ) {
+			return true;
+		}
+
 		return $this->permissions_check( $request );
 	}
 
+	/**
+	 * Checks if a sidebar can be read publicly.
+	 *
+	 * @since 5.9.0
+	 *
+	 * @param string $sidebar_id The sidebar id.
+	 * @return bool Whether the sidebar can be read.
+	 */
+	protected function check_read_sidebar_permission( $sidebar_id ) {
+		$sidebar = wp_get_sidebar( $sidebar_id );
+
+		return ! empty( $sidebar['show_in_rest'] );
+	}
+
 	/**
 	 * Gets an individual widget.
 	 *
@@ -151,7 +198,7 @@ public function get_item_permissions_check( $request ) {
 	 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
 	 */
 	public function get_item( $request ) {
-		retrieve_widgets();
+		$this->retrieve_widgets();
 
 		$widget_id  = $request['id'];
 		$sidebar_id = wp_find_widgets_sidebar( $widget_id );
@@ -247,8 +294,7 @@ public function update_item( $request ) {
 		 * See https://core.trac.wordpress.org/ticket/53657.
 		 */
 		wp_get_sidebars_widgets();
-
-		retrieve_widgets();
+		$this->retrieve_widgets();
 
 		$widget_id  = $request['id'];
 		$sidebar_id = wp_find_widgets_sidebar( $widget_id );
@@ -323,8 +369,7 @@ public function delete_item( $request ) {
 		 * See https://core.trac.wordpress.org/ticket/53657.
 		 */
 		wp_get_sidebars_widgets();
-
-		retrieve_widgets();
+		$this->retrieve_widgets();
 
 		$widget_id  = $request['id'];
 		$sidebar_id = wp_find_widgets_sidebar( $widget_id );
@@ -439,6 +484,20 @@ protected function permissions_check( $request ) {
 		return true;
 	}
 
+	/**
+	 * Looks for "lost" widgets once per request.
+	 *
+	 * @since 5.9.0
+	 *
+	 * @see retrieve_widgets()
+	 */
+	protected function retrieve_widgets() {
+		if ( ! $this->widgets_retrieved ) {
+			retrieve_widgets();
+			$this->widgets_retrieved = true;
+		}
+	}
+
 	/**
 	 * Saves the widget in the request object.
 	 *
@@ -767,23 +826,23 @@ public function get_item_schema() {
 				'instance'      => array(
 					'description' => __( 'Instance settings of the widget, if supported.' ),
 					'type'        => 'object',
-					'context'     => array( 'view', 'edit', 'embed' ),
+					'context'     => array( 'edit' ),
 					'default'     => null,
 					'properties'  => array(
 						'encoded' => array(
 							'description' => __( 'Base64 encoded representation of the instance settings.' ),
 							'type'        => 'string',
-							'context'     => array( 'view', 'edit', 'embed' ),
+							'context'     => array( 'edit' ),
 						),
 						'hash'    => array(
 							'description' => __( 'Cryptographic hash of the instance settings.' ),
 							'type'        => 'string',
-							'context'     => array( 'view', 'edit', 'embed' ),
+							'context'     => array( 'edit' ),
 						),
 						'raw'     => array(
 							'description' => __( 'Unencoded instance settings, if supported.' ),
 							'type'        => 'object',
-							'context'     => array( 'view', 'edit', 'embed' ),
+							'context'     => array( 'edit' ),
 						),
 					),
 				),

src/wp-includes/widgets.php

@@ -220,6 +220,7 @@ function register_sidebars( $number = 1, $args = array() ) {
  *
  * @since 2.2.0
  * @since 5.6.0 Added the `before_sidebar` and `after_sidebar` arguments.
+ * @since 5.9.0 Added the `show_in_rest` argument.
  *
  * @global array $wp_registered_sidebars Registered sidebars.
  *
@@ -250,6 +251,8 @@ function register_sidebars( $number = 1, $args = array() ) {
  *     @type string $after_sidebar  HTML content to append to the sidebar when displayed.
  *                                  Outputs before the {@see 'dynamic_sidebar_after'} action.
  *                                  Default empty string.
+ *     @type bool $show_in_rest     Whether to show this sidebar publicly in the REST API.
+ *                                  Defaults to only showing the sidebar to administrator users.
  * }
  * @return string Sidebar ID added to $wp_registered_sidebars global.
  */
@@ -272,6 +275,7 @@ function register_sidebar( $args = array() ) {
 		'after_title'    => "</h2>\n",
 		'before_sidebar' => '',
 		'after_sidebar'  => '',
+		'show_in_rest'   => false,
 	);
 
 	/**
@@ -1035,6 +1039,35 @@ function wp_get_sidebars_widgets( $deprecated = true ) {
 	return apply_filters( 'sidebars_widgets', $sidebars_widgets );
 }
 
+/**
+ * Retrieves the registered sidebar with the given id.
+ *
+ * @since 5.9.0
+ *
+ * @global array $wp_registered_sidebars The registered sidebars.
+ *
+ * @param string $id The sidebar id.
+ * @return array|null The discovered sidebar, or null if it is not registered.
+ */
+function wp_get_sidebar( $id ) {
+	global $wp_registered_sidebars;
+
+	foreach ( (array) $wp_registered_sidebars as $sidebar ) {
+		if ( $sidebar['id'] === $id ) {
+			return $sidebar;
+		}
+	}
+
+	if ( 'wp_inactive_widgets' === $id ) {
+		return array(
+			'id'   => 'wp_inactive_widgets',
+			'name' => __( 'Inactive widgets' ),
+		);
+	}
+
+	return null;
+}
+
 /**
  * Set the sidebar widget option to update sidebars.
  *