From 32d4605c4582a97e7a4c806884b98034044de3d7 Mon Sep 17 00:00:00 2001 From: Saad Tarhi Date: Mon, 2 Jan 2023 14:49:12 +0100 Subject: [PATCH] Disable Rate Limiting when editing Blocks in admin (#7934) * Disable Rate Limiting for users who can edit posts To avoid limiting the number of edits in WP admin to our Woo Blocks, we need to disable rate limiting altogether. We simply disabled rate limiting for users who can edit posts! * Refactor rate limiting code * Fix disabled rate limiting bug for non admin users * Refactored applying rate limiting code. Co-authored-by: Paulo Arromba <17236129+wavvves@users.noreply.github.com> --- src/StoreApi/Authentication.php | 45 ++++++++++++++++++++++----------- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/src/StoreApi/Authentication.php b/src/StoreApi/Authentication.php index 1b2b69c7491..09159e0ef16 100644 --- a/src/StoreApi/Authentication.php +++ b/src/StoreApi/Authentication.php @@ -26,6 +26,35 @@ public function check_authentication( $result ) { return $result; } + // Enable Rate Limiting for logged-in users without 'edit posts' capability. + if ( ! current_user_can( 'edit_posts' ) ) { + $result = $this->apply_rate_limiting( $result ); + } + + // Pass through errors from other authentication methods used before this one. + return ! empty( $result ) ? $result : true; + } + + /** + * When the login cookies are set, they are not available until the next page reload. For the Store API, specifically + * for returning updated nonces, we need this to be available immediately. + * + * @param string $logged_in_cookie The value for the logged in cookie. + */ + public function set_logged_in_cookie( $logged_in_cookie ) { + if ( ! defined( 'LOGGED_IN_COOKIE' ) || ! $this->is_request_to_store_api() ) { + return; + } + $_COOKIE[ LOGGED_IN_COOKIE ] = $logged_in_cookie; + } + + /** + * Applies Rate Limiting to the request, and passes through any errors from other authentication methods used before this one. + * + * @param \WP_Error|mixed $result Error from another authentication handler, null if we should handle it, or another value if not. + * @return \WP_Error|null|bool + */ + protected function apply_rate_limiting( $result ) { $rate_limiting_options = RateLimits::get_options(); if ( $rate_limiting_options->enabled ) { @@ -65,21 +94,7 @@ public function check_authentication( $result ) { $server->send_header( 'RateLimit-Reset', $rate_limit->reset ); } - // Pass through errors from other authentication methods used before this one. - return ! empty( $result ) ? $result : true; - } - - /** - * When the login cookies are set, they are not available until the next page reload. For the Store API, specifically - * for returning updated nonces, we need this to be available immediately. - * - * @param string $logged_in_cookie The value for the logged in cookie. - */ - public function set_logged_in_cookie( $logged_in_cookie ) { - if ( ! defined( 'LOGGED_IN_COOKIE' ) || ! $this->is_request_to_store_api() ) { - return; - } - $_COOKIE[ LOGGED_IN_COOKIE ] = $logged_in_cookie; + return $result; } /**