Forked from khromov/disable-rest-api-for-anonymous-users.php
Created
February 1, 2018 06:38
-
-
Save Esteban-Rocha/452e6e42d8a6348f4b25c310980a2b7c to your computer and use it in GitHub Desktop.
Disable WordPress REST API for anonymous users
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /* | |
| Plugin Name: Disable REST API for anonymous users | |
| */ | |
| /** | |
| * Remove all endpoints except SAML / oEmbed for unauthenticated users | |
| */ | |
| add_filter( 'rest_authentication_errors', function($result) { | |
| if ( ! empty( $result ) ) { | |
| return $result; | |
| } | |
| $current_route = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '/'; | |
| //Please note that allowing /wp-json/route/ is equal to whitelisting /wp-json/route/.* | |
| $whitelisted_routes = array_merge(['/wp-json/saml', '/wp-json/oembed'], apply_filters('rest_allowed_anonymous_routes', [])); | |
| //search through whitelisted routes | |
| $route_allowed = false; | |
| foreach($whitelisted_routes as $whitelisted_route) { | |
| if(substr($current_route, 0, strlen($whitelisted_route)) === $whitelisted_route) { | |
| $route_allowed = true; | |
| break; | |
| } | |
| } | |
| //Handle whitelisting of routes for anonymous users (works for logged in as well) | |
| if($route_allowed) { | |
| return $result; | |
| } | |
| //Not whitelisted route, check if user is logged in and bail if not | |
| else if( !is_user_logged_in() ) { | |
| return new WP_Error( 'rest_cannot_access', __( 'Only authenticated users can access this endpoint.', 'disable-json-api' ), array( 'status' => rest_authorization_required_code() ) ); | |
| } | |
| //User is logged in, approve all | |
| else { | |
| return $result; | |
| } | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment