Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorizer breaks REST-API #4

Closed
nurbs999 opened this issue Jan 12, 2016 · 9 comments
Closed

Authorizer breaks REST-API #4

nurbs999 opened this issue Jan 12, 2016 · 9 comments

Comments

@nurbs999
Copy link

Whenever I install authorizer, all REST API calls don't work anymore. Instead I get redirected to the index page in HTML format instead of a JSON response.
It's enough to activate the plugin to break the API.

Wordpress: 4.4.1
Authorizer: 2.3.8
@figureone
Copy link
Member

Thanks for the report, I'll trace down the problem.

@figureone
Copy link
Member

Should be fixed in version 2.3.9, just released. Thanks for the report!
8527f06

@nurbs999
Copy link
Author

Thanks for the quick fix. I just tried the new version and I must say that the REST API calls do work but are not protected from unauthorized users.
I have an LDAP server and configured authorizer to authenticate users against it, which works just fine, however the REST API is still callable without any login.
Is this the way it's supposed to be? Do you need any further information?

@figureone
Copy link
Member

Have you configured authorizer to only allow access to logged in users? In my test environment, when I configured it that way, REST calls to the /wp-json/wp/v2/posts endpoint successfully showed the wp_die() html.
If you don't have authorizer configured to restrict access, then the /wp-json/wp/v2/posts endpoint will act just like visiting any post/page in your browser (but instead of returning html, it returns json). Restricted REST API calls (update, delete, etc.) will still require oauth authentication as per the docs:
http://v2.wp-api.org/guide/authentication/

@nurbs999
Copy link
Author

Yes, I did. Here are my settings:

Login Access: Only approved users
Public Access: Only logged in users can see the site
External Service: Enable LDAP Logins (all needed LDAP settings are set)

@nurbs999
Copy link
Author

Here are steps to reproduce:

Install fresh WP 4.4.1
Install Plugin REST API v2 2.0-beta10
Install Plugin Authorizer 2.3.12
Settings in Authorizer:

  • Login Access: Only approved users
  • Public Access: Only logged in users can see the site

call to /wp-json/wp/v2/posts returns json formated posts instead of an not_authorized error

@figureone
Copy link
Member

Thanks, I'll see what I can do.

@figureone figureone reopened this Jan 28, 2016
@figureone
Copy link
Member

Fixed here: a6804e1
This will get pushed out in the upcoming version, 2.3.13. Thanks for the help!

@figureone
Copy link
Member

Sorry for the delay; fix just released in version 2.4.0.
https://wordpress.org/plugins/authorizer/changelog/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@figureone @nurbs999