Skip to content

Instantly share code, notes, and snippets.

@khromov
Created October 13, 2017 15:55
Show Gist options
  • Save khromov/471661daaa36553d297065930eaa5252 to your computer and use it in GitHub Desktop.
Save khromov/471661daaa36553d297065930eaa5252 to your computer and use it in GitHub Desktop.
Disable WordPress REST API for anonymous users
<?php
/*
Plugin Name: Disable REST API for anonymous users
*/
/**
* Remove all endpoints except SAML / oEmbed for unauthenticated users
*/
add_filter( 'rest_authentication_errors', function($result) {
if ( ! empty( $result ) ) {
return $result;
}
$current_route = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '/';
//Please note that allowing /wp-json/route/ is equal to whitelisting /wp-json/route/.*
$whitelisted_routes = array_merge(['/wp-json/saml', '/wp-json/oembed'], apply_filters('rest_allowed_anonymous_routes', []));
//search through whitelisted routes
$route_allowed = false;
foreach($whitelisted_routes as $whitelisted_route) {
if(substr($current_route, 0, strlen($whitelisted_route)) === $whitelisted_route) {
$route_allowed = true;
break;
}
}
//Handle whitelisting of routes for anonymous users (works for logged in as well)
if($route_allowed) {
return $result;
}
//Not whitelisted route, check if user is logged in and bail if not
else if( !is_user_logged_in() ) {
return new WP_Error( 'rest_cannot_access', __( 'Only authenticated users can access this endpoint.', 'disable-json-api' ), array( 'status' => rest_authorization_required_code() ) );
}
//User is logged in, approve all
else {
return $result;
}
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment