Title: Apply restrictions to WP REST-API JSON
Last modified: June 14, 2017

---

# Apply restrictions to WP REST-API JSON

 *  Resolved [onigi](https://wordpress.org/support/users/onigi/)
 * (@onigi)
 * [8 years, 10 months ago](https://wordpress.org/support/topic/restict-wp-rest-api-json/)
 * Hi, I have a membership website and I restrict the access to content and taxonomies
   using Groups (Groups, Restrict Categories, WooCommerce).
 * I have disabled the WP REST-API JSON because the restictions are not working.
 * I.e. the results of [http://mywebsite.com/wp-json/wp/v2/posts/](http://mywebsite.com/wp-json/wp/v2/posts/)
   include all the posts, not only the ones the user should be able to read.
 * There is a way to apply the Group restriction to WP REST-API JSON results?
 * Many thanks!
    -  This topic was modified 8 years, 10 months ago by [onigi](https://wordpress.org/support/users/onigi/).
    -  This topic was modified 8 years, 10 months ago by [onigi](https://wordpress.org/support/users/onigi/).

Viewing 4 replies - 1 through 4 (of 4 total)

 *  Plugin Author [Kento](https://wordpress.org/support/users/proaktion/)
 * (@proaktion)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/restict-wp-rest-api-json/#post-9259367)
 * Hi,
 * Many thanks for pointing out the issue.
 * Based on what I’ve seen, currently restricted entries can come up when requested
   directly, e.g. [http://example.com/wp-json/wp/v2/posts/453](http://example.com/wp-json/wp/v2/posts/453)
   although no content is provided. Although the entry returned does not provide
   the protected post’s content (it’s an empty string so our content filter seems
   to be applied), it does reveal the existence of the post to an unauthorized user
   so this is a security issue. I’m not sure yet why this happens because the protected
   method WP_REST_Posts_Controller::get_post() that handles this actually uses the
   function get_post() which should have Groups’ filters applied; these would eliminate
   the post from the results and the query should return no post, but it seems they
   are not called … so this needs to be fixed.
 * If we query for posts in a category, e.g. [http://example.com/wp-json/wp/v2/posts?categories=1&order=desc&orderby=date](http://example.com/wp-json/wp/v2/posts?categories=1&order=desc&orderby=date),
   any protected posts are in fact excluded from the results, so here all filters
   seem to be applied correctly.
 * In any case, this must be fixed as soon as possible – I’ll follow up here.
 * Meanwhile, if there’s anything else you have observed or would like to point 
   out related to this issue, I’d appreciate your and anyone’s comments.
    -  This reply was modified 8 years, 9 months ago by [Kento](https://wordpress.org/support/users/proaktion/).
      Reason: spelling
 *  Plugin Author [Kento](https://wordpress.org/support/users/proaktion/)
 * (@proaktion)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/restict-wp-rest-api-json/#post-9288570)
 * FYI The new version 2.3.0 has just been released which takes care of the requests
   to single posts. I’ll mark this as resolved but please let me know if you see
   any further issues.
 *  [quocpt](https://wordpress.org/support/users/quocpt/)
 * (@quocpt)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/restict-wp-rest-api-json/#post-9327519)
 * Hi Kento,
 * For query all posts which only accessible to groups by calling : [http://example.com/wp-json/wp/v2/posts/](http://example.com/wp-json/wp/v2/posts/).
   It will loaded posts as for unregisted users, no matter which logged group users.
 * Do you have a reference document for implement this: posts of group A will only
   diplays for group A users logged in by calling WP REST API?
    -  This reply was modified 8 years, 9 months ago by [quocpt](https://wordpress.org/support/users/quocpt/).
 *  Plugin Author [Kento](https://wordpress.org/support/users/proaktion/)
 * (@proaktion)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/restict-wp-rest-api-json/#post-9453477)
 * Hi [@quocpt](https://wordpress.org/support/users/quocpt/),
 * You need to have your user authenticated to have the protected posts included.
 * Useful resources:
 * – Authentication [https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/](https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/)
   –
   a Basic Authentication plugin for tests [https://github.com/WP-API/Basic-Auth](https://github.com/WP-API/Basic-Auth)

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Apply restrictions to WP REST-API JSON’ is closed to new replies.

 * ![](https://ps.w.org/groups/assets/icon-256x256.png?rev=983146)
 * [Groups](https://wordpress.org/plugins/groups/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/groups/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/groups/)
 * [Active Topics](https://wordpress.org/support/plugin/groups/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/groups/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/groups/reviews/)

## Tags

 * [access control](https://wordpress.org/support/topic-tag/access-control/)
 * [itthinx](https://wordpress.org/support/topic-tag/itthinx/)
 * [member](https://wordpress.org/support/topic-tag/member/)

 * 4 replies
 * 3 participants
 * Last reply from: [Kento](https://wordpress.org/support/users/proaktion/)
 * Last activity: [8 years, 7 months ago](https://wordpress.org/support/topic/restict-wp-rest-api-json/#post-9453477)
 * Status: resolved