ction validRequest( $request ) { return is_user_logged_in() && $this->validateAccess( $request ); } /** * Validates access from the routes array. * * @since 4.0.0 * * @param \WP_REST_Request $request The REST Request. * @return bool True if validated, false if not. */ public function validateAccess( $request ) { $routeData = $this->getRouteData( $request ); if ( empty( $routeData ) || empty( $routeData['access'] ) ) { return false; } // Admins always have access. if ( aioseo()->access->isAdmin() ) { return true; } switch ( $routeData['access'] ) { case 'everyone': // Any user is able to access the route. return true; default: return aioseo()->access->hasCapability( $routeData['access'] ); } } /** * Returns the data for the route that is being accessed. * * @since 4.1.6 * * @param \WP_REST_Request $request The REST Request. * @return array The route data. */ protected function getRouteData( $request ) { // NOTE: Since WordPress uses case-insensitive patterns to match routes, // we are forcing everything to lowercase to ensure we have the proper route. // This prevents users with lower privileges from accessing routes they shouldn't. $route = aioseo()->helpers->toLowercase( $request->get_route() ); $route = untrailingslashit( str_replace( '/' . $this->namespace . '/', '', $route ) ); $routeData = isset( $this->getRoutes()[ $request->get_method() ][ $route ] ) ? $this->getRoutes()[ $request->get_method() ][ $route ] : []; // No direct route name, let's try the regexes. if ( empty( $routeData ) ) { foreach ( $this->getRoutes()[ $request->get_method() ] as $routeRegex => $routeInfo ) { $routeRegex = str_replace( '@', '\@', $routeRegex ); if ( preg_match( "@{$routeRegex}@", $route ) ) { $routeData = $routeInfo; break; } } } return $routeData; } }