Plugin Author
Kento
(@proaktion)
Hi,
Many thanks for pointing out the issue.
Based on what I’ve seen, currently restricted entries can come up when requested directly, e.g. http://example.com/wp-json/wp/v2/posts/453 although no content is provided. Although the entry returned does not provide the protected post’s content (it’s an empty string so our content filter seems to be applied), it does reveal the existence of the post to an unauthorized user so this is a security issue. I’m not sure yet why this happens because the protected method WP_REST_Posts_Controller::get_post() that handles this actually uses the function get_post() which should have Groups’ filters applied; these would eliminate the post from the results and the query should return no post, but it seems they are not called … so this needs to be fixed.
If we query for posts in a category, e.g. http://example.com/wp-json/wp/v2/posts?categories=1&order=desc&orderby=date, any protected posts are in fact excluded from the results, so here all filters seem to be applied correctly.
In any case, this must be fixed as soon as possible – I’ll follow up here.
Meanwhile, if there’s anything else you have observed or would like to point out related to this issue, I’d appreciate your and anyone’s comments.
-
This reply was modified 7 years, 2 months ago by Kento. Reason: spelling
Plugin Author
Kento
(@proaktion)
FYI The new version 2.3.0 has just been released which takes care of the requests to single posts. I’ll mark this as resolved but please let me know if you see any further issues.
Hi Kento,
For query all posts which only accessible to groups by calling : http://example.com/wp-json/wp/v2/posts/. It will loaded posts as for unregisted users, no matter which logged group users.
Do you have a reference document for implement this: posts of group A will only diplays for group A users logged in by calling WP REST API?
-
This reply was modified 7 years, 2 months ago by quocpt.
Plugin Author
Kento
(@proaktion)
Hi @quocpt,
You need to have your user authenticated to have the protected posts included.
Useful resources:
– Authentication https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/
– a Basic Authentication plugin for tests https://github.com/WP-API/Basic-Auth