fix: better security for some rest endpoints

Author: [email protected]

src/block/posts/index.php

@@ -526,6 +526,12 @@ public static function get_terms() {
 		public function get_posts( $request ) {
 			$args = $request->get_query_params();
 
+			// Enforce safe defaults to avoid exposing sensitive content.
+			// 1) Force post status to publish only (non-sensitive).
+			$args['post_status'] = 'publish';
+			// 2) Exclude password-protected content explicitly.
+			$args['has_password'] = false;
+
 			$query = new WP_Query( $args );
 
 			foreach ( $query->posts as $key=>$post ) {

src/design-library/init.php

@@ -76,7 +76,7 @@ public function register_route() {
 				'methods' => 'POST',
 				'callback' => array( $this, 'get_design_library_image' ),
 				'permission_callback' => function () {
-					return current_user_can( 'edit_posts' );
+					return current_user_can( 'upload_files' );
 				},
 				'args' => array(
 					'image_url' => array(