How are you currently limiting the user view to his posts only? If it’s through the WP_Query methods some how, such as “pre_get_posts” action, then it would apply to API calls as well. The API goes through the same WP_Query process to get posts as a normal HTTP request would.
If you are not altering the WP_Query to restrict views, that is what you need to do to restrict API requests.
@bcworkz
Thank you so much for the information.
I’m using “toolset views” plugin to allow for views based on filters i.e. Author is the current login user.
Now I’m trying to allow selected vendors that have their own clients leverage my engine and have them allow their clients create posts on my site, read them and edit them directly from the vendor site.
so I need to find a way to authenticate the vendor client before allowing access only to his account.
the scenario is as follow:
1. user login to a vendor (3rd party) application
2. user want to get data from my website using the vendor application
3. in the backend I invasion that the vendor application will do the fallowing
3.a create an account for the user on my site – is it possible using the REST API?
3.b vendor application get the user name and password for my website and store it for the client
3.b vendor application create a custom post on my site with the user credentials
3.c vendor application pull the custom post for the client and render it on the vendor application
I want to prevent vendors seen other non vendor clients data. or someone read all the custom posts of other users just by changing author id in a query.
any thoughts?
David
Hmmm, it’s hard to give specific ideas because you are relying on a plugin I’m not familiar with. On a positive note, just about anything should be possible in theory. But getting there is not always straight forward. In fact, just about anything is possible through the API alone by utilizing custom endpoints.
Adding users is a built in functionality of the API. The problem you are going to run into is authentication. Not just anyone or any app can add users. I could see apps initially authenticating as a vendor. Once the user is added, somehow vendor authentication is locked out and only user authentication is possible. This has some security concerns I’m not sure how to resolve. Security built into client apps is somewhat of an oxymoron in my mind. I don’t build apps, maybe it’s not a big deal.
If authentication can be resolved, we’re back to how are user views currently restricted? It may all just work, or more coding is required. It depends on the toolset views plugin you are using. You should ask the author of the plugin if the filters work for API calls. Or setup your own testing to verify. If not, something else can be worked out.
