yoren/class-wp-rest-posts-controller-2.php

## class-wp-rest-posts-controller-2.php
<?php
/**
 * This funcion comes from the source code of WP-API:
 * https://github.com/WP-API/WP-API/blob/develop/lib/endpoints/class-wp-rest-posts-controller.php#L91
 *
 * Get a collection of posts
 *
 * @param WP_REST_Request $request Full details about the request
 * @return WP_Error|WP_REST_Response
 */
public function get_items( $request ) {
	$args = (array) $request->get_params();
	$args['post_type'] = $this->post_type;
	$args['paged'] = $args['page'];
	$args['posts_per_page'] = $args['per_page'];
	unset( $args['page'] );
	/**
	 * Alter the query arguments for a request.
	 *
	 * This allows you to set extra arguments or defaults for a post
	 * collection request.
	 *
	 * @param array $args Map of query var to query value.
	 * @param WP_REST_Request $request Full details about the request.
	 */
	$args = apply_filters( 'rest_post_query', $args, $request );
	$query_args = $this->prepare_items_query( $args );
	$posts_query = new WP_Query();
	$query_result = $posts_query->query( $query_args );

## class-wp-rest-posts-controller.php
<?php
/**
 * This funcion comes from the source code of WP-API:
 * https://github.com/WP-API/WP-API/blob/develop/lib/endpoints/class-wp-rest-posts-controller.php#L495
 *
 * */
class WP_REST_Posts_Controller extends WP_REST_Controller {
//...
	/**
	 * Get all the WP Query vars that are allowed for the API request.
	 *
	 * @return array
	 */
	protected function get_allowed_query_vars() {
		global $wp;
		$valid_vars = apply_filters( 'query_vars', $wp->public_query_vars );

		if ( current_user_can( 'edit_posts' ) ) {
			/**
			 * Alter allowed query vars for authorized users.
			 *
			 * If the user has the `edit_posts` capability, we also allow use of
			 * private query parameters, which are only undesirable on the
			 * frontend, but are safe for use in query strings.
			 *
			 * To disable anyway, use
			 * `add_filter('rest_private_query_vars', '__return_empty_array');`
			 *
			 * @param array $private List of allowed query vars for authorized users.
			 */
			$private = apply_filters( 'rest_private_query_vars', $wp->private_query_vars );
			$valid_vars = array_merge( $valid_vars, $private );
		}
		// Define our own in addition to WP's normal vars
		$rest_valid = array( 'posts_per_page', 'ignore_sticky_posts', 'post_parent' );
		$valid_vars = array_merge( $valid_vars, $rest_valid );

		/**
		 * Alter allowed query vars for the REST API.
		 *
		 * This filter allows you to add or remove query vars from the allowed
		 * list for all requests, including unauthenticated ones. To alter the
		 * vars for editors only, {@see rest_private_query_vars}.
		 *
		 * @param array $valid_vars List of allowed query vars.
		 */
		$valid_vars = apply_filters( 'rest_query_vars', $valid_vars );

		return $valid_vars;
	}

//...
}

## class-wp.php
<?php
/**
 * The piece of code is from wp-includes/class-wp.php
 *
 * WordPress environment setup class.
 *
 * @package WordPress
 * @since 2.0.0
 */
class WP {
	/**
	 * Public query variables.
	 *
	 * Long list of public query variables.
	 *
	 * @since 2.0.0
	 * @access public
	 * @var array
	 */
	public $public_query_vars = array('m', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'static', 'pagename', 'page_id', 'error', 'comments_popup', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type');

	/**
	 * Private query variables.
	 *
	 * Long list of private query variables.
	 *
	 * @since 2.0.0
	 * @var array
	 */
	public $private_query_vars = array( 'offset', 'posts_per_page', 'posts_per_archive_page', 'showposts', 'nopaging', 'post_type', 'post_status', 'category__in', 'category__not_in', 'category__and', 'tag__in', 'tag__not_in', 'tag__and', 'tag_slug__in', 'tag_slug__and', 'tag_id', 'post_mime_type', 'perm', 'comments_per_page', 'post__in', 'post__not_in', 'post_parent', 'post_parent__in', 'post_parent__not_in' );

	//...

## functions-1.php
<?php

function my_allowed_meta_keys( $args ) {

	$allowed_meta_keys = array( 'age', 'gender' );

	if ( ! in_array( $args['meta_key'], $allowed_meta_keys ) ) {
		unset( $args['meta_key'] );
		unset( $args['meta_value'] );
	}

	return $args;
}
add_filter( 'rest_post_query', 'my_allowed_meta_keys' );

## functions.php
<?php

function my_allow_meta_query( $valid_vars ) {

	$valid_vars = array_merge( $valid_vars, array( 'meta_key', 'meta_value' ) );
	return $valid_vars;
}
add_filter( 'rest_query_vars', 'my_allow_meta_query' );
	<?php
	/**
	* This funcion comes from the source code of WP-API:
	* https://github.com/WP-API/WP-API/blob/develop/lib/endpoints/class-wp-rest-posts-controller.php#L91
	*
	* Get a collection of posts
	*
	* @param WP_REST_Request $request Full details about the request
	* @return WP_Error\|WP_REST_Response
	*/
	public function get_items( $request ) {
	$args = (array) $request->get_params();
	$args['post_type'] = $this->post_type;
	$args['paged'] = $args['page'];
	$args['posts_per_page'] = $args['per_page'];
	unset( $args['page'] );
	/**
	* Alter the query arguments for a request.
	*
	* This allows you to set extra arguments or defaults for a post
	* collection request.
	*
	* @param array $args Map of query var to query value.
	* @param WP_REST_Request $request Full details about the request.
	*/
	$args = apply_filters( 'rest_post_query', $args, $request );
	$query_args = $this->prepare_items_query( $args );
	$posts_query = new WP_Query();
	$query_result = $posts_query->query( $query_args );
	<?php
	/**
	* The piece of code is from wp-includes/class-wp.php
	*
	* WordPress environment setup class.
	*
	* @package WordPress
	* @since 2.0.0
	*/
	class WP {
	/**
	* Public query variables.
	*
	* Long list of public query variables.
	*
	* @since 2.0.0
	* @access public
	* @var array
	*/
	public $public_query_vars = array('m', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'static', 'pagename', 'page_id', 'error', 'comments_popup', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type');

	/**
	* Private query variables.
	*
	* Long list of private query variables.
	*
	* @since 2.0.0
	* @var array
	*/
	public $private_query_vars = array( 'offset', 'posts_per_page', 'posts_per_archive_page', 'showposts', 'nopaging', 'post_type', 'post_status', 'category__in', 'category__not_in', 'category__and', 'tag__in', 'tag__not_in', 'tag__and', 'tag_slug__in', 'tag_slug__and', 'tag_id', 'post_mime_type', 'perm', 'comments_per_page', 'post__in', 'post__not_in', 'post_parent', 'post_parent__in', 'post_parent__not_in' );

	//...
	<?php

	function my_allowed_meta_keys( $args ) {

	$allowed_meta_keys = array( 'age', 'gender' );

	if ( ! in_array( $args['meta_key'], $allowed_meta_keys ) ) {
	unset( $args['meta_key'] );
	unset( $args['meta_value'] );
	}

	return $args;
	}
	add_filter( 'rest_post_query', 'my_allowed_meta_keys' );
	<?php

	function my_allow_meta_query( $valid_vars ) {

	$valid_vars = array_merge( $valid_vars, array( 'meta_key', 'meta_value' ) );
	return $valid_vars;
	}
	add_filter( 'rest_query_vars', 'my_allow_meta_query' );