WP REST API Post Status Using JavaScript

In this tutorial, the post var status=”draft”; (see code). So I am just worried that won’t anyone able to hack that status?

It depends who it is. A logged out user cannot create any posts at all. A subscriber cannot either. A contributor could create the post, but not publish it. An author or editor role however can change it to publish.

So, lets say that the user is logged in, and has a role that lets them publish posts, and they are on that page, and you’re concerned that they might change status = "draft" to status = "publish".

First, the bug in your code

Firstly, the status variable is never used due to a bug in your code. The posts get created as draft posts not because you said so, but because that’s the default status.

To fix this bug, you need to add this to data:

status: status

Until you do that, they could change status to "banana" and it wouldn’t do anything.

Second, REST is stateless

The REST API doesn’t know what page the user is on, that’s not how REST API’s work. What they can and can’t do is controlled via capabilities.

So who cares if they can modify your variable when they can just poke the API themselves?

They could copy paste the following code into their browsers dev tools console:

$.ajax({
        method: "POST",
        url: POST_SUBMITTER.root + 'wp/v2/posts',
        data: {
            title: "hello world",
            content: "post content",
            status: "publish"
        },
        beforeSend: function ( xhr ) {
            xhr.setRequestHeader( 'X-WP-Nonce', POST_SUBMITTER.nonce );
        },
    });

And hey presto, they don’t need to modify your code! They have their own. As I said earlier, REST API requires 3 things:

  • a nonce
  • a cookie
  • the required capabilities to do what’s being asked.

Nothing requires them to use the code from your theme, or for your code to even load. As long as they’re logged in, and they have the capability, it will allow them.

Who Can Change a Posts Status in The REST API?

Which is the crux of your question, and the answer is it depends. Anybody who tells you either yes or no is a liar, and has not thought it through.

For example, a contributor cannot publish a post, so if they changed the post_status to publish the API would reject the request. You’d receive a JSON structure telling you that what you tried was forbidden, and a 403 forbidden HTTP response code.

If a subscriber user tried, it would reject it too, even if the status was draft, because subscribers cannot create posts. You’d receive a JSON structure telling you that what you tried was forbidden, and a 403 forbidden HTTP response code.

If an administrator tried it, it would work, because administrator roles can do anything. You’d get a 200 http code success response. The same of an editor of author, because those roles can do that, as demonstrated by them being able to go to wp-admin and click the publish button.

This is because those roles have the capability to publish posts assigned to their roles. If you removed that capability then they would no longer be able to publish in the REST API, or the WP Admin interface

So as you see, It depends on the roles and capabilities of the logged in user making the request

Related Posts:

  1. Nonce retrieved from the REST API is invalid and different from nonce generated in wp_localize_script
  2. REST API: Backbone and custom endpoint
  3. Gutenberg custom block plugin with custom image sizes
  4. Get loading state of wp data selector
  5. WP REST – video and audio players
  6. Headless WordPress: How to authenticate front end requests?
  7. Post to WordPress using REST API from external site
  8. How to handle malformed response from WP REST API?
  9. Rest API authentication issue when called from fetch request in bundle.js
  10. Get HTTP response code on non-2xx apiFetch request
  11. Rest API invalid nonce with Backbone Client
  12. How to transform a legacy widget into a block
  13. Authentication with the Rest API when using an External Application
  14. Get Block Attributes in JSON REST API
  15. Setting/unsetting terms using the Backbone JavaScript client
  16. Checks when fetching data from multiple REST API endpoints in Gutenberg
  17. Search for a keyword across post types in a Gutenberg component
  18. Using apiFetch for retrieving post data in Gutenberg
  19. Get terms of a taxonomy using useSelect
  20. Return ‘X-WP-Total’ from headers in response
  21. How to render WP Rest-API Endpoints in a React.js Theme with Woocommerce
  22. Retrieving data about comments and likes
  23. how to use nimble-API and Display data?
  24. Check if user can in javascript
  25. wp-api Backbone JS Client fetch options
  26. Why does my array sort order changes when I pass it to JS using WP_REST_Response?
  27. Rest API and how to deal with it in server side
  28. Access checks with custom REST endpoints and backbone
  29. [Vue warn]: Error in render: “TypeError: Cannot read property ‘wp:featuredmedia’ of undefined – REST API
  30. Update block once an API request returns with a value
  31. Get user in rest API endpoint
  32. How to improve WP-Rest atrocious response time?
  33. I would like to retrive JSON value and display it in wordpress page or widget
  34. Connecting a wordpress site to an AngularJS APP
  35. WordPress REST API response is empty in browser and script, but not in Postman
  36. WP REST API – “rest_user_cannot_view” ONLY on specific users
  37. Get Comment Text via REST API
  38. What is TypeScript and why would I use it in place of JavaScript? [closed]
  39. How to do associative array/hashing in JavaScript
  40. map function for objects (instead of arrays)
  41. How to write a countdown timer in JavaScript?
  42. TypeScript foreach return [duplicate]
  43. “document.getElementByClass is not a function”
  44. Go back button in a page
  45. ‘react-scripts’ is not recognized as an internal or external command
  46. After $npm install, Getting Error: Cannot find module ‘../lib/utils/unsupported.js’
  47. What’s the best way to convert a number to a string in JavaScript?
  48. React Native: this.setState is not a function
  49. CSS height 100% percent not working
  50. Angular 4 setting selected option in Dropdown
  51. How can I upload files asynchronously with jQuery?
  52. Cannot read property ‘bind’ of undefined. React.js
  53. Why is my asynchronous function returning Promise { } instead of a value?
  54. How can I convert an image into Base64 string using JavaScript?
  55. Javascript checkbox onChange
  56. Number prime test in JavaScript
  57. document.getElementById not working / Display
  58. What is jQuery Unobtrusive Validation?
  59. CreateElement with id?
  60. Print PDF directly from JavaScript
  61. Set value of hidden input with jquery
  62. element.setAttribute is not a function
  63. gapi is not defined – Google sign in issue with gapi.auth2.init
  64. Remove all special characters with RegExp
  65. jQuery: Get selected element tag name
  66. Does ECMAScript 6 have a convention for abstract classes?
  67. How to check for an undefined or null variable in JavaScript?
  68. HTML anchor link – href and onclick both?
  69. How to use forEach loop correctly in angular 2?
  70. javascript push multidimensional array
  71. How can I know which radio button is selected via jQuery?
  72. jquery toggleClass not working
  73. Can WordPress be made to support websockets?
  74. How to use wp.hooks.addAction() in React JS/Gutenberg?
  75. Remove extra Google Maps script
  76. single page wordpress
  77. How can I get the standard WP-Editor through Javascript?
  78. Exclude JS file from 404 error page
  79. Pass data from wordpress to javascript in JSON
  80. How to make wordpress URLS google friendly for ajax driven sites?
  81. Contact Form 7 – Uncaught TypeError: wpcf7.initForm is not a function [closed]
  82. js addclass function not working as expected, intereaction or special WP somethign needed?
  83. Where is script-loader.php creating JS tags
  84. WP TinyMCE (Full + media ) – 4.8 JS Init Dynamicly
  85. Get a default value of the Customizer setting using wp.customize API (JS)
  86. print script on wordpress header after user registered
  87. Load external javascript files
  88. Javascript alert appears before tag
  89. Bootstrap bundle present in page source but not working
  90. Web cover page open when button clicked
  91. Replace script attr or link
  92. Remove escape characters from JSON string pulled from a database
  93. How to pass data to javascript in custom widget class
  94. Client side pre-save Javascript hook on all admin pages
  95. WP Gutenberg – custom block with two content fields
  96. How to add additional JavaScript code [duplicate]
  97. Contact form 7 hide and show fields depending up on the condition [closed]
  98. wp_enqueue has a resource but doesn’t generate a script tag [duplicate]
  99. Javascript not working on index.php but it is working on single post’s page
  100. Unable to change the location of a file