Show in rest is mandatory to be compatible with the block editor. What you can do though is hook ‘rest_prepare_post_type’ action and unset sensitive elements of the returned data when the user is not logged in.
Hi @bcworkz,
Thanks for your reply. I’ll look into that and see if I can use that to shut the windows and draw the curtains around the database…
I think a better way would haven been to have a second setting for each (custom) post where you can have:
show_in_rest => false (default) / true
use_block_editor => true (default) / false
Right now the show_in_rest option is used for two things:
. use this (custom) post in the REST API (which makes sense given the name of this option)
. use the block editor for this (custom) post (which is a different thing).
Since the block editor is dependent upon the API, disabling the API will by inference disable (or at least break) the block editor. I get what you’re saying though and don’t entirely disagree, except the implementation would need to be different. Maybe more like
'rest_allow_referer' => {all|self|none}
so the object can be available to API requests from the same domain but not necessarily from other domains. Or something similar to .htaccess allow/deny directives perhaps.
I think your proposal makes sense. Something along those lines sounds like a way to go. Another thing is that I feel that access from outside should be off by default. Just to protect all those innocent site admins out there, that have no idea what is going on with their site.
I do not have the energy now to start a thread and defend this thing talking to the core people. I may think otherwise tomorrow or next month. For now I’m just going to shut down the REST API for non-logged in users and see if it breaks anything worthwile. A crude solution, and not really my style, but for now I do not see a different way…
@bcworkz, thanks for thinking with me.