Add option to expose REST-API only to authenticated users, maybe limited to a certain capability.
Read-only archive : Issues · ClassicPress/ClassicPress · GitHub
Author : Dora D.
Vote count : 61
Status : open
Tags :
request-modify-feature
difficulty-easy
Comments
There is the OAUth official plugin for rest api that wasn’t integrate because require a new version of php. So maybe when we will do that bump we can have that integration.
~ posted by Daniele Scasciafratte
I have written an IndieAuth, which is an OAuth variant plugin for WordPress. Would you consider that? It is also not written with a higher version requirement.
~ posted by David Shanske
I read a blog or comment somewhere about how disabling non-auth access to the REST API prevented a plugin from working properly which, in turn, led to a debugging nightmare for the site owner. Maybe Contact Form 7…can’t recall for sure… but this might be a consideration.
~ posted by John
John is right, Contact Form 7 breaks if you disable the REST-API. It was a real headache to figure it out when I first encountered the problem. On the (WP) sites where REST-API is not neede I usually use “Disable REST API” plugin, which also provides a handy whitelisting feature to for example make CF7 work again.
~ posted by Antti Koskinen
Brett, I haven’t looked at the “Disable REST API” plugin’s code and how it handles the whitelisting so I’m afraid I don’t know that. The plugin’s whitelisting feature is just a settings page with a list of every plugin using the REST-API. You can then just tick the checkboxes for the plugins that should be able to access the API.
~ posted by Antti Koskinen
1 Like
viktor
January 14, 2023, 5:33am
5
With v2 re-fork, we will keep WP’s application passwords. This petition will be closed, but if application passwords are not enough please open an issue on GitHub.