Support » Plugin: iThemes Security (formerly Better WP Security) » Allow specific users to the REST API

  • standerksen

    (@standerksen)


    Hello!

    Currently I want to user restricted access to the API for everyone visiting a certain website. However, there are certain users like myself and other developers who I want to give access to the API. Currently I am only able to enable/disable access to everyone at once. Is it possible to exclude certain users from this restricteed access?

    Thanks in advance.

Viewing 1 replies (of 1 total)
  • nlpro

    (@nlpro)

    No, per definition that’s not possible.

    Setting the REST API setting in the WordPress Tweaks module to Restricted Access does nothing more than forcing authentication (and authorization) for a limited number of (UNauthenticated and UNauthorized) endpoints that by default provide public access to potentially private data.

    However once the setting is enabled, individual users with the proper capabilities (authorization) can make authenticated REST API requests to the affected endpoints.

    Let’s take the unauthenticated users endpoint as an example.
    And let’s use cookie authentication as it’s pretty much available out of the box. Only thing we need, is to add the following lines to the functions.php file of your active theme:

    if ( is_admin() ) {
    echo '++++++++++++++++++++++++++++++++++++++++++ ' . wp_create_nonce( 'wp_rest' ) . ' +++++';
    }

    Then log into the WordPress Dashboard (WD) as an administrator and take note of the nonce token displayed as the result of the 3 lines added to the active theme functions.php file. We’ll need this token later on.
    Now set the REST API setting in the WordPress Tweaks module to Default Access.
    (At this point do not logout). For later reference let’s call this the WD tab.

    Then open a second tab in the browser (let’s call this the UE tab) and access the unauthenticated users endpoint(UE):

    http://www.domain.com/wp-json/wp/v2/users

    You will see that it returns all user data as expected.

    Switch back to the WD tab and set the REST API setting in the WordPress Tweaks module to Restricted Access.

    Switch to the UE tab and refresh the page. The result is:

    {“code”:”itsec_rest_api_access_restricted”,”message”:”You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted by iThemes Security settings.”,”data”:{“status”:401}}

    So to make the users endpoint work we need to provide authentication like this:

    http://www.domain.com/wp-json/wp/v2/users?_wpnonce=%5Btoken%5D

    where [token] must be substituted with the nonce token we have previously generated in the WD tab.

    It works. Not only because of the authenticated REST API request but also because the user logged in on the WD tab is an administrator. And admin users have the list_users capability. So the user is authenticated as well as authorized.

    Repeat the procedure described above, but now login as a user that does not have the list_users capability… (authenticated but not authorized).

    • This reply was modified 2 years ago by nlpro. Reason: Replaced incorrect single quotes with correct ones in code
Viewing 1 replies (of 1 total)
  • The topic ‘Allow specific users to the REST API’ is closed to new replies.