Support » Plugin: Disable REST API » Not working with 4.7 Beta 4

  • Resolved Anthony Hortin

    (@ahortin)


    Hi,

    I just tried this plugin with 4.7 beta4-39271 and it doesn’t look like it’s working.

    When I tested it by trying to return a page (/wp-json/wp/v2/pages/2153), it still returned all the content.

Viewing 10 replies - 1 through 10 (of 10 total)
  • And just to confirm, yep, I tested it when not logged into the site

    Hello,
    Sad to hear that wordpress devs have removed the disable filter…

    I am not able to test it right now; but how about this code (just put it in your functions.php)

    
    add_filter( 'rest_authentication_errors', function( $result ) {
    	if ( ! empty( $result ) ) {
    		return $result;
    	}
    	if ( ! is_user_logged_in() ) {
    		return new WP_Error( 'restx_logged_out', 'Sorry, you must be logged in to make a request.', array( 'status' => 401 ) );
    	}
    	return $result;
    });

    Source: https://gist.github.com/danielbachhuber/8f92af4c6a8db784771c
    Delta

    • This reply was modified 1 year, 1 month ago by  deltamgm2.

    Re,
    I have investigated the plugin’s code; it should be working..
    What does return get_bloginfo(‘version’) on your beta version ? maybe there is a pb here:

    $dra_current_WP_version = get_bloginfo('version');
    
    if ( version_compare( $dra_current_WP_version, '4.7', '>=') ) {
        DRA_Force_Auth_Error();
    } else {
        DRA_Disable_Via_Filters();
    }

    Regards,
    Delta

    • This reply was modified 1 year, 1 month ago by  deltamgm2.

    Yeah, it’s very disappointing that they decided to remove the disable filter. I think that’s just stupid.

    the return info from get_bloginfo('version') is “4.7-beta4-39282”, which is a bit weird considering the version number returned at the bottom of the dashboard is “4.7-beta4-39271”. I’m guessing someone forgot to update the version string somewhere.

    I tried what Ryan suggested in the trac ticket for this change and that seems to work ok, but it’d be nicer to have the plugin working so it’s easier to implement.

    remove_action( 'rest_api_init', 'create_initial_rest_routes', 99 );

    It was expected as the rest api is going to use in wordpress admin. Options to force authentication on general option should have been included. 🙁
    AS @pento said, it is not a good practice to remove the core endpoints (https://core.trac.wordpress.org/ticket/38446#comment:8)
    However, the class-wp-rest-server.php still indicates that you can restrict the API.
    apply_filters_deprecated( 'rest_enabled', array( true ), '4.7.0', 'rest_authentication_errors', __( 'The REST API can no longer be completely disabled, the rest_authentication_errors can be used to restrict access to the API, instead.' ) );
    Did you try the code from danielbachhuber ?

    • This reply was modified 1 year, 1 month ago by  deltamgm2.
    • This reply was modified 1 year, 1 month ago by  deltamgm2.

    I have just tested the plugin with your version, the filter method is on; (not the force auth error);

    Daniel’s code seems to work well. Thanks for that link.

    I can understand the reasoning for not disabling the REST API when you’re within the Dashboard, but I think they should still allow people to disable it for all logged out users.

    Even Ryan (the one who wrote most of the API) agreed that people shouldn’t be stopped from disabling it.

    Anyway, thanks for your help. Daniel’s code works ok.

    bonger

    (@gitlost)

    Might be worth changing the version check at https://plugins.trac.wordpress.org/browser/disable-json-api/trunk/disable-json-api.php#L12 to strip out the extra beta guff eg.

    global $wp_version;
    $dra_current_WP_version = substr( $wp_version, 0, strspn( $wp_version, '0123456789.' ) );
    
    Plugin Author Dave McHale

    (@dmchale)

    My apologies for not being responsive on this thread – I thought I was subscribed to the support forum for this plugin but apparently not, so I never got any notifications.

    I just pushed version 1.3, which supports WordPress 4.7. It does NOT currently work in beta due to the RC tags (the code is doing a >= against 4.7, and the version_compare() function is smart enough to know that an RC release is LESS THAN a full release), but cheers @gitlost for the suggestion on how to sidestep that. I would consider implementing a change to strip RC tags but once 4.7 drops (tomorrow, I believe) it will be a non-issue for all versions moving forward.

    @deltamgm2 just an FYI you were looking at the trunk version that was in development. The active version was 1.2 which is likely what @ahortin was using when trying to see if the plugin supported the 4.7 change.

    Thanks Dave 🙂

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Not working with 4.7 Beta 4’ is closed to new replies.