This repository has been archived by the owner. It is now read-only.

Disable default WordPress REST Endpoints #2338

Closed
Buooy opened this Issue Mar 3, 2016 · 10 comments

Comments

Projects
None yet
10 participants
@Buooy
Copy link

Buooy commented Mar 3, 2016

Is there a way to disable the default wordpress REST Endpoints? We would not like to expose those but limit it to a few custom post types that we had created on our own.

@rmccue

This comment has been minimized.

Copy link
Member

rmccue commented Mar 3, 2016

To remove the default post types from the API:

add_action( 'plugins_loaded', function () {
    remove_filter( 'init', '_add_extra_api_post_type_arguments' );
});

If you want to remove all endpoints from the API:

add_action( 'plugins_loaded', function () {
    remove_filter( 'rest_api_init', 'create_initial_rest_routes' );
});

@rmccue rmccue closed this Mar 3, 2016

@rmccue rmccue added the Support label Mar 3, 2016

@gino8080

This comment has been minimized.

Copy link

gino8080 commented Mar 8, 2016

Is there a way to disable only certain Endpoints?
for example the Users endpoint?

@danielbachhuber

This comment has been minimized.

Copy link
Member

danielbachhuber commented Mar 8, 2016

Is there a way to disable only certain Endpoints?

Yes, they're filterable with the rest_endpoints filter.

for example the Users endpoint?

See:

add_filter( 'rest_endpoints', function( $endpoints ){
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    }
    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
    }
    return $endpoints;
});
@cnasikas

This comment has been minimized.

Copy link

cnasikas commented Jul 31, 2016

The rest_endpoints filter is not firing. I search the code and I can't find the declaration of rest_endpoints filter.

@1ucay

This comment has been minimized.

Copy link

1ucay commented Sep 5, 2016

How can I remove route only for non logged users? thx

@lesterchan

This comment has been minimized.

Copy link

lesterchan commented Nov 24, 2016

Just an update, rest_api_init is an action not a filter.

So this code should work

remove_action( 'rest_api_init', 'create_initial_rest_routes', 99 );
@squarecandy

This comment has been minimized.

Copy link

squarecandy commented Dec 1, 2017

Here's my filter to disallow non-logged in use of the REST API completely:

add_filter( 'rest_api_init', 'rest_only_for_authorized_users', 99 );
function rest_only_for_authorized_users($wp_rest_server){
    if ( !is_user_logged_in() ) {
        wp_die('cheatin eh?');
    }
}
@cristi-contiu

This comment has been minimized.

Copy link

cristi-contiu commented Dec 8, 2017

Could not find a solution that removes some routes (not all) for unauthenticated users. I could not use is_user_logged_in() in the filter rest_endpoints because it always returns false.

@majick777

This comment has been minimized.

Copy link

majick777 commented Dec 14, 2017

@cristi-contiu I was finding the same, but a with a little digging realized it also does that when the nonce value is not supplied..!

As if you check at earlier point you will probably find is_user_logged_in gives true, but after a nonce check failure the current user is set to 0 so then is_user_logged_in always returns false (see rest_cookie_check_errors function, hooked to rest_authentication_errors with priority 100.)

You can test this by bypassing the nonce check (for development only of course!) like this:

add_filter('rest_authentication_errors', 'rest_cookie_nonce_bypass', 99);
function rest_cookie_nonce_bypass($access) {
	global $wp_rest_auth_cookie; $wp_rest_auth_cookie = false; return $access;
}

If you do that then the your check in rest_endpoints will work. However, of course you don't want to keep it like that, this is just telling you you need to use the nonces (or another authentication method) as described in the REST handbook:
https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/

To cut a long story short, tests for is_user_logged_in in rest_endpoints filter in production environments should actually work as intended (if nonce or other authentication is used.)

@cristi-contiu

This comment has been minimized.

Copy link

cristi-contiu commented Dec 19, 2017

@majick777 Thank you very much, you are indeed correct: if no nonce is present, than is_user_logged_in() will fail, even if the user is authenticated.

I will expose some endpoints only to authenticated users and hope that future API calls made from core (eg: from wp-admin) to these endpoints will also send an nounce, even for lists/fetch.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.