From a37c932545802a0583c8729d1e034ac46b942eda Mon Sep 17 00:00:00 2001
From: "Frank X. Blackburn" <axmmisaka@users.noreply.github.com>
Date: Mon, 18 Oct 2021 20:56:35 -0700
Subject: [PATCH] disable wp REST API in easywp (#169)

This commit consists 3 commits squashed together, dating back from May 2021:

* some initial draft that disables REST API?
* fix syntax errors, i was stupid
* pre-commit

Its main goals are:
1. Install `disable-json-api` to ensure no unauthenticated REST API access, and,
2. Help user install wordpress instead of letting users go to their website to set them up, as installation is required for plugins to be installed.
---
 makeservices/easywp | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/makeservices/easywp b/makeservices/easywp
index 6a343b0..d6621b4 100755
--- a/makeservices/easywp
+++ b/makeservices/easywp
@@ -69,4 +69,26 @@ wp core download
 wp config create --dbname="$user" --dbuser="$user" --dbpass="$sqlpass" --dbhost=mysql --dbcharset=utf8mb4
 # Somehow 644 is the default... See https://core.trac.wordpress.org/ticket/37264
 chmod 600 "$webroot/wp-config.php"
-echo "WordPress install successful. Go to https://www.ocf.berkeley.edu/~$user to finish the setup process."
+
+# This is the real install
+echo "WordPress configuration creation successful. Setting it up..."
+
+read -rp 'Enter your desired site title. (Default: newsite)' sitetitle
+if [ -z "$sitetitle" ]; then
+    sitetitle="newsite"
+fi
+read -rp 'Enter your desired admin username. (Default: admin)' adminname
+if [ -z "$adminname" ]; then
+    adminname="admin"
+fi
+
+echo "You admin e-mail will be '$(whoami)@ocf.berkeley.edu', the confirmation e-mail will not be sent to you."
+echo "WP-CLI will install wordpress for you. If you wish, enter your desired admin password and press enter; if you want one to be randomly generated for you, press enter."
+# Use --prompt so that password is not left in ~/.bash_history
+wp core install --admin_user="$adminname" --admin_email="$(whoami)@ocf.berkeley.edu" --skip-email --title=$sitetitle --url="https://www.ocf.berkeley.edu/~$user/" --prompt=admin_password
+# As we had `set -e`, installation must be complete as otherwise the script will end. If it is incomplete, people will still know as this step is verbose.
+
+echo "Campus web security regulations require us to disable unauthenticated REST API. We will install a WordPress plug-in to do that.
+      You may use other plug-ins that achieve the same thing, you may also disable or remove it afterwards, but it is your responsibility
+      to ensure your site complies with regulations. Failure to do so may result in your account being suspended."
+wp plugin install disable-json-api --activate