AJAX Requests to wp_insert_post

Hi!

I don’t understand your point. If wp_die acts, it means that the user has no right to create or edit the post, so why would you need to go on?

Before the wp_die is reached, the post has already been created/updated (unless a permissions error has already been thrown).

In my scenario, I have a service doing an ajax call to /wp-admin/admin-ajax.php and a plugin facilitates creating/editing a post via call_user_func_array( $func, $args ). The post is created/edited successfully, which would normally produce a structured response to the service. With the Polylang plugin installed, the response is replaced by the output of wp_die().

I think the issue is that Polylang requires that a user session be active, but wp_insert_post() and wp_update_post() don’t expressly require a user to be logged in. Creating/editing blog posts remotely with token-authenticated calls to /wp-admin/admin-ajax.php is becoming fairly common.

Just to clarify, I think replacing wp_die() with a simple ‘return’ would keep your permissions intact without overwriting any structured responses of other plugins.

Well I understand the scenario. And you are right that the post is already created / edited. But again, if you get in the wp_die(), it means that the user does not have the permission to do create / edit posts.

So in my opinion, there is an issue on your side, because anybody can create / edit posts. It might not be specifically a problem for you if you have only one permission level for your web service. But it would be an issue in a more general case.

Moreover, if I replace the wp_die() by return, then you would get a post with no language.

That’s true, the user doesn’t have permission to create/edit posts because there is no user — it’s an authenticated call to admin-ajax.php

I’m not sure what the right answer is here, but I think there is a usability gap when authenticated ajax requests are not accounted for. User permissions are fine for a session with an actual user, but it will present a problem for any plugin that uses authenticated ajax requests to create/edit a post.

I’d have to do some searching, but I think there is a means of detecting whether there is an active user session. The permissions may need to be treated differently depending on whether the new post is being generated by an authenticated request or an active user session.

Anyway, just food for thought, since WordPress is making a push toward a formalized REST API.

Well, I had a closer look to this and I believe now that there is some overprotection. In v1.5.4, I will follow your suggestion. And even more, I will allow to assign a default language if no language has been defined yet without capability check (so that a post does not end without language). I will keep disallowing the language modification from frontend (if someone needs this, he will have to write his own filter).

Great to hear, looking forward to v1.5.4! Thanks for being so responsive.

Cool plugin — it was fun to read through the source.