Protect API endpoints

Question

Protect API endpoints

mjangda opened this issue 7 years ago · comments

When maintenance mode is enabled, we should make sure that REST API and XML-RPC endpoints are restricted to the proper capabilities as well.

Mohammad Jangda · Answer 1 · Wed Apr 19 2017 06:25:46 GMT+0800 (China Standard Time)

For REST API, can hook late into rest_authentication_errors and return an error if the requesting user does not have the proper caps. Something like:

add_filter( 'rest_authentication_errors', function( $result ) {
    $required_capability = apply_filters( 'vip_maintenance_mode_required_cap', 'edit_posts' );
    if ( ! current_user_can( $required_capability ) ) {
        return new WP_Error( 'rest_forbidden', __( 'Sorry, you are not allowed to do that.' ) );
    }

    return $result;
}, 999 );

Mohammad Jangda · Answer 2 · Tue Jan 30 2018 14:18:00 GMT+0800 (China Standard Time)

See #17 and #27