From 19ea24db713c5bc06a2c86244e698a9a7c0595ca Mon Sep 17 00:00:00 2001 From: jbrejcha Date: Sat, 11 Apr 2026 20:08:36 +0200 Subject: [PATCH] Fix unauthenticated access to Carbon Fields REST API endpoints MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit allow_access() returned true unconditionally, allowing any unauthenticated request to read Carbon Fields data (post meta, user meta, term meta, comment meta) for any object ID — including admin user meta — as long as the field had set_visible_in_rest_api(true) set by the developer. Require is_user_logged_in() by default. Sites that intentionally expose fields on public endpoints can opt out via the new filter: add_filter( 'carbon_fields_rest_api_allow_public_access', '__return_true' ); --- core/REST_API/Router.php | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/core/REST_API/Router.php b/core/REST_API/Router.php index 99d4848a..c8dd537b 100644 --- a/core/REST_API/Router.php +++ b/core/REST_API/Router.php @@ -168,11 +168,27 @@ public function get_vendor() { } /** - * Allow access to an endpoint + * Allow access to an endpoint. * - * @return bool + * Requires the user to be logged in by default. Use the + * `carbon_fields_rest_api_allow_public_access` filter to allow + * unauthenticated access for intentionally public endpoints. + * + * @return bool|\WP_Error */ public function allow_access() { + if ( apply_filters( 'carbon_fields_rest_api_allow_public_access', false ) ) { + return true; + } + + if ( ! is_user_logged_in() ) { + return new \WP_Error( + 'rest_forbidden', + __( 'You must be logged in to access Carbon Fields data.', 'carbon-fields' ), + array( 'status' => rest_authorization_required_code() ) + ); + } + return true; }