Properly authenticate the AJAX request

Emilia-Capital · Apr 25, 2024 · b307ec8 · b307ec8
1 parent 7df41cb
commit b307ec8
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/js/admin-script.js b/js/admin-script.js
@@ -137,7 +137,8 @@ jQuery( document ).ready(
 					{
 						pageLength: 25,
 						ajax: {
-							url: aaaOptionOptimizer.root + 'aaa-option-optimizer/v1/all-options/',
+							url: aaaOptionOptimizer.root + 'aaa-option-optimizer/v1/all-options',
+							headers: { 'X-WP-Nonce': aaaOptionOptimizer.nonce },
 							type: 'GET',
 							dataSrc: 'data',
 						},

diff --git a/src/class-rest.php b/src/class-rest.php
@@ -100,12 +100,12 @@ public function register_rest_routes() {
 
 		\register_rest_route(
 			'aaa-option-optimizer/v1',
-			'/all-options/',
+			'/all-options',
 			[
 				'methods'             => 'GET',
 				'callback'            => [ $this, 'get_all_options' ],
 				'permission_callback' => function () {
-					return true;
+					return current_user_can( 'manage_options' );
 				},
 			]
 		);