Skip to content

Improve permission_callback of Cloudinary Rest API endpoints #1135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aatanasov-cloudinary merged 7 commits into from
Feb 2, 2026
Merged

Improve permission_callback of Cloudinary Rest API endpoints #1135

aatanasov-cloudinary merged 7 commits into from
Feb 2, 2026
+78 −34

Conversation

@aatanasov-cloudinary
Copy link
Collaborator

@aatanasov-cloudinary aatanasov-cloudinary commented Feb 2, 2026
edited
Loading

Fixes #1134 and this topic.

Approach

  • Set an appropriate permission_callback to all endpoints created by the plugin.
  • The default endpoint now requires the wp_rest nonce.
  • Ensured the previously 'permission_callback' => '__return_true' work with the new approach ('permission_callback' => array( 'Cloudinary\REST_API', 'validate_request').
  • Only rest_test_rest_api_connectivity uses true (isolated in a separate method) because this is a Rest API check only.

QA notes

  • Go to admin.php?page=cloudinary and ensure ui-state and stats AJAX requests resolve.
  • Test cron endpoints via code:
    1. Add logs to the daemon_watcher and run_queue methods of class-cron.php
    2. Remove the cloudinary_cron_system and cloudinary_cron_schedule theme options.
    3. Enable cron from page=cloudinary&section=cron_system
    4. Wait for the jobs to start (check the Next Run column)
    5. Check the debug log and ensure there are logs:
    6. Example:
[02-Feb-2026 10:31:59 UTC] Daemon watcher started at 1770028319 with start time 177002831869807d1ea1e06
[02-Feb-2026 10:32:00 UTC] Running cron queue at 1770028320

@aatanasov-cloudinary aatanasov-cloudinary marked this pull request as ready for review February 2, 2026 11:31
@aatanasov-cloudinary aatanasov-cloudinary changed the base branch from master to develop February 2, 2026 11:32
gabriel-detassigny
gabriel-detassigny approved these changes Feb 2, 2026
View reviewed changes
Copy link
Contributor

@gabriel-detassigny gabriel-detassigny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything works as expected 👍

@aatanasov-cloudinary aatanasov-cloudinary merged commit ed23449 into develop Feb 2, 2026
5 checks passed
@aatanasov-cloudinary aatanasov-cloudinary mentioned this pull request Feb 2, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gabrielcld2 gabrielcld2 gabrielcld2 approved these changes

+1 more reviewer

@gabriel-detassigny gabriel-detassigny gabriel-detassigny approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Vulnerability Report: Broken Access Control (CVE-2026-24560)

5 participants

@aatanasov-cloudinary @gabriel-detassigny @gabrielcld2 @aatanasovdev