Support » Plugin: WooCommerce » Restrict endpoint on WooCommerce REST API

  • Resolved dsm1

    (@dsm1)



    I have downloaded this recently, on paper, it does everything I want it to do, in reality, it does nothing! https://wordpress.org/plugins/woocommerce-api-lockdown/

    I am seeking a PHP Functions hook to disallow the /customers/ hook from being written and read.

    I have been Googling for hours and the other hooks I’ve found don’t seem to work, noticably, my slug is /wp-json/wc/v2/customers – most others on Google are just /wp/wc/v2/customers.

    Many Thanks in Advance.

Viewing 14 replies - 1 through 14 (of 14 total)
  • Plugin Support Thomas Shellberg

    (@shellbeezy)

    Automattic Happiness Engineer

    @dsm1 – do you want to disable the /customers/ endpoint from being accessed entirely or just by certain users?

    dsm1

    (@dsm1)

    Hi @shellbeezy,

    By user if possible please

    Plugin Support Jesse Pearson

    (@jessepearson)

    Automattic Happiness Engineer

    @dsm1 Quick question, do you have the API enabled and have keys generated for others to use? If not, then the API is not accessible to the public.

    API uses keys, yes.

    Plugin Support ryanr14

    (@ryanr14)

    Hi @dsm1,

    If you’re using WooCommerce 3.4 and don’t have the legacy API enabled, and as you said you are using API Keys, then your info isn’t accessible by anyone else.

    Generating keys means that a person or app has to have both keys and the details for the user who has permission to use those keys to access anything via the API.

    Hi @ryanr14,

    Thats correct but this isn’t a user access concern;

    Here’s an example:
    Users:
    Joe
    Bob
    Carl

    All of those users can access:
    Products
    Customers
    Coupons
    Orders

    What I’m looking for, is, for example, a way to stop Bob, and only Bob from accessing the Customers endpoint, whilst still having access to Products, Coupons and Orders.

    I hope that clears things up.

    Plugin Support Jesse Pearson

    (@jessepearson)

    Automattic Happiness Engineer

    @dsm1 I looked into this, and what you are wanting to do is possible, but it will take a bit of customization on your end. The filter woocommerce_rest_check_permissions is used when checking to see if a user has permissions for a certain task. The specific code is here:
    https://github.com/woocommerce/woocommerce/blob/3.4.3/includes/wc-rest-functions.php#L273-L285

    The filter can be used with the get_current_user_id() function to determine what user is using the API and test to see if they should be accessing or not.

    So, it can be done, but it will take quite a bit of customization to get it working. If you are not a developer, or do not have a developer, we suggest the resources here for customization assistance:
    https://woocommerce.com/customizations/

    Hi @jessepearson,

    Thats great, but that doesn’t nessasarilly point me in the right direction for specific user restrictions, I found this plugin which offers everything I’m after apart from the fact the plugin is inneffective, it doesn’t actually work…
    https://wordpress.org/plugins/woocommerce-api-lockdown/

    Unless I’ve missed something in the wc-rest-functions.php file?

    Please take a look at the plugin, it does describe in a bit more detail as to what I’m after. Note: I’m not asking for support on this plugin, if anything, I’m ideally looking for a functions.php webhook.

    Regards

    Plugin Support wbrubaker

    (@wbrubaker)

    Something like this would do the trick provided I understand what you are trying to do (and provided that Bob’s login name is bob): https://gist.github.com/WillBrubaker/de465c456de34eb0c14cdc442d394dab

    Unless I’ve missed something in the wc-rest-functions.php file?

    It’s right here: https://github.com/woocommerce/woocommerce/blob/3.4.3/includes/wc-rest-functions.php#L284

    Kind regards,

    Thanks @wbrubaker,

    That is what I’m looking for, the code of never trust Bob with customer data, where are the endpoints set? I can’t see where “customers” are disallowed in that snip (I’m guessing I’ve missed something obvious).

    How would I go about, for example blocking “coupons” too?

    i.e:

    add_filter( 'woocommerce_rest_check_permissions', 'never_trust_bob_with_coupons', 10, 4 );
    
    function never_trust_bob_with_coupons( $permission, $context, $object_id, $type ) {
    	return ( 'user' === $type && 'bob' === wp_get_current_user()->user_login ) ? false : $permission;
    }

    I know my amendment above is wrong but thats the only place I see the endpoint name mentioned!

    Also @wbrubaker,

    Would it be possible to let bob read customers but not write?

    We’ve given Bob Read/Write accessin WooCommerce settings but want Read Only on customers.

    Is that possible in the hook?

    Plugin Support wbrubaker

    (@wbrubaker)

    Would it be possible to let bob read customers but not write?

    Yes. See the $context variable and set permission conditionally on whether that is read or write.

    where are the endpoints set?

    The $type variable points to what type of permissions are being checked. Thinking of this in terms of ‘endpoints’ is not going to help.

    How would I go about, for example blocking “coupons” too?

    Similarly as you would for ‘users’. The type that would be passed would be a post type in the case of coupons.

    Plugin Support jamosova

    (@jamosova)

    Automattic Happiness Engineer

    Hi @dsm1, you haven’t connected with us for a while here. Please let us know if you still have any questions or if we can mark this thread as Resolved? Thank you and looking forward to your reply!

    Plugin Support jamosova

    (@jamosova)

    Automattic Happiness Engineer

    Hi @dsm1,

    Looks like you are all set for now so I am going to mark this thread as Resolved. Feel free to connect with us again should you have any additional questions!

Viewing 14 replies - 1 through 14 (of 14 total)
  • You must be logged in to reply to this topic.