BREAKING: WordPress Plugin Achieves Historic Milestone by Securing Things It Probably Should’ve Secured Before
DEVELOPERS EVERYWHERE — In a bold and inspiring leap forward, Advanced Custom Fields (ACF) announced today that it has successfully updated several features to now check whether users are actually allowed to do the things they’re trying to do.
The March 26th release includes groundbreaking innovations such as verifying permissions before editing posts, confirming users can preview content before showing it to them, and—perhaps most revolutionary of all—checking security nonces during security-related requests.
“It’s a huge step,” said one developer, staring blankly into the middle distance. “Previously, we were operating under a ‘vibes-based permissions system.’ Now we’ve introduced ‘permissions.’”
Among the highlights:
- The REST API now respects whether a user has
unfiltered_html, a concept many assumed was more of a suggestion than a rule - Block previews now require users to actually have access to the post they’re previewing, ending the popular “surprise admin view” feature
- Repeater fields using pagination will now verify permissions, bringing closure to what insiders called “the Wild West of clicking Next Page”
- AJAX requests now check nonces, marking the first time “security nonce” has been used for something other than decoration
Industry experts are calling this update “a return to basic security principles,” while others are praising it as “a thrilling reintroduction of common sense.”
One anonymous plugin confessed, “We’ve all been kind of hoping nobody would notice.”
At press time, developers were reportedly clearing cache, regenerating CSS, and whispering “please don’t break anything” as they hit update.