Apply restrictions to WP REST-API JSON

  • Resolved onigi

    (@onigi)


    7 years, 3 months ago

    Hi, I have a membership website and I restrict the access to content and taxonomies using Groups (Groups, Restrict Categories, WooCommerce).

    I have disabled the WP REST-API JSON because the restictions are not working.

    I.e. the results of http://mywebsite.com/wp-json/wp/v2/posts/ include all the posts, not only the ones the user should be able to read.

    There is a way to apply the Group restriction to WP REST-API JSON results?

    Many thanks!

    • This topic was modified 7 years, 3 months ago by onigi.
    • This topic was modified 7 years, 3 months ago by onigi.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Kento

    (@proaktion)

    7 years, 2 months ago

    Hi,

    Many thanks for pointing out the issue.

    Based on what I’ve seen, currently restricted entries can come up when requested directly, e.g. http://example.com/wp-json/wp/v2/posts/453 although no content is provided. Although the entry returned does not provide the protected post’s content (it’s an empty string so our content filter seems to be applied), it does reveal the existence of the post to an unauthorized user so this is a security issue. I’m not sure yet why this happens because the protected method WP_REST_Posts_Controller::get_post() that handles this actually uses the function get_post() which should have Groups’ filters applied; these would eliminate the post from the results and the query should return no post, but it seems they are not called … so this needs to be fixed.

    If we query for posts in a category, e.g. http://example.com/wp-json/wp/v2/posts?categories=1&order=desc&orderby=date, any protected posts are in fact excluded from the results, so here all filters seem to be applied correctly.

    In any case, this must be fixed as soon as possible – I’ll follow up here.

    Meanwhile, if there’s anything else you have observed or would like to point out related to this issue, I’d appreciate your and anyone’s comments.

    • This reply was modified 7 years, 2 months ago by Kento. Reason: spelling
    Plugin Author Kento

    (@proaktion)

    7 years, 2 months ago

    FYI The new version 2.3.0 has just been released which takes care of the requests to single posts. I’ll mark this as resolved but please let me know if you see any further issues.

    quocpt

    (@quocpt)

    7 years, 2 months ago

    Hi Kento,

    For query all posts which only accessible to groups by calling : http://example.com/wp-json/wp/v2/posts/. It will loaded posts as for unregisted users, no matter which logged group users.

    Do you have a reference document for implement this: posts of group A will only diplays for group A users logged in by calling WP REST API?

    • This reply was modified 7 years, 2 months ago by quocpt.
    Plugin Author Kento

    (@proaktion)

    7 years ago

    Hi @quocpt,

    You need to have your user authenticated to have the protected posts included.

    Useful resources:

    – Authentication https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/
    – a Basic Authentication plugin for tests https://github.com/WP-API/Basic-Auth

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Apply restrictions to WP REST-API JSON’ is closed to new replies.