Support » Plugin: Disable REST API » ANY logged-in visitor can view the disabled endpoints

  • The plugin uses a is_user_logged_in() check to grant access to disabled REST API endpoints. I run a membership site for one year and just realized it now, that any logged in visitor STILL HAVE ACCESS to any disabled REST API endpoints.

    This should be very explicit, and there should be a setting in the plugin settings page to set the minimum role for the user to have access to the disabled endpoints.

Viewing 1 replies (of 1 total)
  • Plugin Author Dave McHale

    (@dmchale)

    Hi Lucas,

    First, thanks for using the plugin! I’m sorry it was not clear to you how the plugin worked. I can try to update the description of the plugin for others in the future to make it more explicit. It is mentioned (and explicitly so, in one of the FAQ items) but could probably be highlighted better.

    Second, the issue of using Roles is tricky in WordPress due to the nature of them since they are not truly hierarchical and there is no “Minimum Role” to assign. Since themes or plugins can adjust the default capabilities of roles, and even add new roles themselves, it’s impossible to guess at what Role is “above” another one. True, you can look at the DEFAULTS and say that permissions (“capabilities”, in WordPress nomenclature) are added as you move up the ranks of Subscriber -> Contributor -> Author -> Editor -> Administrator, but it’s not REALLY a direct line because of the “pluggable” nature of WP. For example, I would guess the membership plugin on your site creates there is a completely new Role that your users belong to, which isn’t one of the default 5 that I just mentioned… and it probably has custom capabilities which don’t exist in a default WordPress website as well.

    Being able to selectively choose which of the Roles are on/off (individually, not as a “minimum Role of” selection) at a system-wide level is probably the best that we could do in the short term. Two of the reasons I have not done so to date is 1) I’ve gotten very few requests for this feature and 2) I’m sure it would open Pandora’s Box to admins wanting the ability to this for every individual endpoint as well, which I haven’t had the free time to figure out the best way to implement. It’s possible, but not a trivial update.

    In the future, if you have a feature request or a question/issue with the plugin I’d suggest using the Support Forum to ask a question rather than leaving a review or better yet, feel free to check out the github repository and create an Issue (and/or a PR) there, I respond to everything there as well https://github.com/dmchale/disable-json-api

    Cheers!

Viewing 1 replies (of 1 total)
  • The topic ‘ANY logged-in visitor can view the disabled endpoints’ is closed to new replies.