From b01e7e0e88049512c8969ed237bc2bf7a07ad629 Mon Sep 17 00:00:00 2001
From: Matt Batchelder <matt@buzzbee.dev>
Date: Sat, 21 Feb 2026 12:21:55 -0500
Subject: [PATCH] Implement AJAX handler for admin bar pull button and remove
 REST API endpoint for pulling pages

---
 includes/admin.php | 35 +++++++++++++++++++++++++----------
 includes/rest.php  | 23 -----------------------
 2 files changed, 25 insertions(+), 33 deletions(-)

diff --git a/includes/admin.php b/includes/admin.php
index fe3f63b..35333c3 100644
--- a/includes/admin.php
+++ b/includes/admin.php
@@ -29,6 +29,18 @@ add_action( 'admin_bar_menu', function ( WP_Admin_Bar $wp_admin_bar ) {
     ] );
 }, 100 );
 
+// AJAX handler for the admin bar pull button (no REST API exposure)
+add_action( 'wp_ajax_oribi_sync_pull_page', function () {
+    check_ajax_referer( 'oribi_sync_pull_page' );
+    if ( ! current_user_can( 'manage_options' ) ) wp_send_json_error( 'Permission denied.', 403 );
+
+    $post_id = (int) ( $_POST['post_id'] ?? 0 );
+    if ( $post_id < 1 ) wp_send_json_error( 'Missing or invalid post_id.', 400 );
+
+    $result = oribi_sync_pull_page_from_repo( $post_id );
+    $result['ok'] ? wp_send_json_success( $result ) : wp_send_json_error( $result, 500 );
+} );
+
 // Front-end script that wires up the admin bar pull button
 add_action( 'wp_footer', function () {
     if ( ! is_user_logged_in() ) return;
@@ -39,9 +51,9 @@ add_action( 'wp_footer', function () {
     $post = get_queried_object();
     if ( ! $post instanceof WP_Post ) return;
 
-    $api_url = rest_url( 'oribi-sync/v1/pull-page' );
-    $nonce   = wp_create_nonce( 'wp_rest' );
-    $post_id = (int) $post->ID;
+    $ajax_url = admin_url( 'admin-ajax.php' );
+    $nonce    = wp_create_nonce( 'oribi_sync_pull_page' );
+    $post_id  = (int) $post->ID;
     ?>
     <script>
     (function () {
@@ -57,18 +69,21 @@ add_action( 'wp_footer', function () {
             if (link) { link.style.opacity = '0.5'; link.style.pointerEvents = 'none'; }
             if (label) { label.textContent = 'Pulling…'; }
 
-            fetch(<?php echo wp_json_encode( $api_url ); ?>, {
+            var data = new URLSearchParams({
+                action:   'oribi_sync_pull_page',
+                _ajax_nonce: <?php echo wp_json_encode( $nonce ); ?>,
+                post_id:  <?php echo $post_id; ?>
+            });
+
+            fetch(<?php echo wp_json_encode( $ajax_url ); ?>, {
                 method: 'POST',
                 credentials: 'same-origin',
-                headers: {
-                    'Content-Type': 'application/json',
-                    'X-WP-Nonce': <?php echo wp_json_encode( $nonce ); ?>
-                },
-                body: JSON.stringify({ post_id: <?php echo $post_id; ?> })
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                body: data.toString()
             })
             .then(function (r) { return r.json(); })
             .then(function () {
-                // Hard reload — append a cache-busting param to force a fresh response
+                // Hard reload — cache-busting param forces a fresh response
                 var url = new URL(window.location.href);
                 url.searchParams.set('_nocache', Date.now());
                 window.location.replace(url.toString());
diff --git a/includes/rest.php b/includes/rest.php
index 141dfd4..23c768b 100644
--- a/includes/rest.php
+++ b/includes/rest.php
@@ -48,15 +48,6 @@ add_action( 'rest_api_init', function () {
         },
     ] );
 
-    // ── Pull single page + theme ───────────────────────────────────────────
-    register_rest_route( 'oribi-sync/v1', '/pull-page', [
-        'methods'             => 'POST',
-        'callback'            => 'oribi_sync_rest_pull_page',
-        'permission_callback' => function () {
-            return current_user_can( 'manage_options' );
-        },
-    ] );
-
     // ── Webhook (secret-based auth, no WP login required) ─────────────────
     register_rest_route( 'oribi-sync/v1', '/webhook', [
         'methods'             => 'POST',
@@ -95,20 +86,6 @@ function oribi_sync_rest_status(): WP_REST_Response {
     ] );
 }
 
-/**
- * REST: Pull a single page and theme from the repo.
- */
-function oribi_sync_rest_pull_page( WP_REST_Request $request ): WP_REST_Response {
-    $post_id = (int) $request->get_param( 'post_id' );
-    if ( $post_id < 1 ) {
-        return new WP_REST_Response( [ 'ok' => false, 'message' => 'Missing or invalid post_id.' ], 400 );
-    }
-
-    $result = oribi_sync_pull_page_from_repo( $post_id );
-
-    return new WP_REST_Response( $result, $result['ok'] ? 200 : 500 );
-}
-
 /**
  * REST: Webhook trigger.
  *