REST API

Hi–?thanks for using Force Login!

If you need to disable the REST API restriction in Force Login, try adding the following code to your functions.php file:

remove_filter( 'rest_authentication_errors', 'v_forcelogin_rest_access' );

Just added it and it gives access to all API’s again. But adding that still prevents Disable JSON API to manage what API’s I want public and which ones I don’t. If I add that to my themes function.php everything is open and the other plugin won’t let me lock it down..

Scratch that, it fixed it, The only issue is are you going to make this a option in the dev road map? Having this in the theme and it gets updated would wipe out the change

• This reply was modified 7 years, 2 months ago by bikecrazyy.
• This reply was modified 7 years, 2 months ago by bikecrazyy.

Great! I’m glad you got it working again.

If you’re concerned about losing custom changes to the theme, I recommend using a Child Theme instead.

By using a child theme you will ensure that your modifications are preserved when the parent theme gets updated.

Be sure to rate and review my plugin to let others know how you like it.

Thanks again!

I thought I would inform you that I just released a new version of Force Login (v5.1.1), which improves the REST API restriction to allow alternative modes of authentication.

And as a result, it might allow you to use the Disable JSON API plugin without needing to remove the v_forcelogin_rest_access filter as described above.

Thanks!

Hi Kevin,

I tried adding remove_filter( ‘rest_authentication_errors’, ‘v_forcelogin_rest_access’ ); to my Divi child theme to allow access to the Gravity Forms JSON REST API and it didn’t work. Any other suggestions as to how i can enable access to this API?

What ever update you did in v5.1.1 doesn’t seem to work… the plugin is still blocking rest api even with the functions.php coded added

@bryanrego

My original suggestion was before the v5.1.1 update; Force Login now restricts the API at a later priority to defer authorization to any other API handling plugin.

Try adding the following priority to the remove_filter() function:

remove_filter( 'rest_authentication_errors', 'v_forcelogin_rest_access', 99 );

I believe the remove_filter() function was not working for you because it was not running at the correct point.

Let me know if this solves your issue.

@bikecrazyy

As of v5.1.1, the remove_filter() function I suggested needs to run at a later priority in order to work. Try the new suggestion I just posted above.

Check out the following issue at GitHub for the full discussion about what changed in v5.1.1 and why:

https://github.com/kevinvess/wp-force-login/issues/35

@kevin Sorry man, I can’t be dealing with this small silly issue for any longer and just copied your code and removed lines 56-68 in my own plugin. I really wish you would consider stop doing these hacky things such as editing your functions.php for your theme to make your plugin work properly with other plugins using REST options. All you really need to do is make this a feature you can turn on and off. Making any custom changes like your trying to have us do doesn’t follow best practices.

@bryanrego
I suggest you do the same do

• This reply was modified 7 years, 1 month ago by bikecrazyy.

@bikecrazyy

Thanks for the feedback, but plugins are by definition are a hack of core WordPress functionality.

The core of WordPress is designed to be lean and lightweight, to maximize flexibility and minimize code bloat. Plugins then offer custom functions and features so that each user can tailor their site to their specific needs.

Furthermore, WordPress best practice encourages custom functionality to be applied via your theme’s functions.php or a plugin.

The functions.php file behaves like a WordPress plugin, adding features and functionality to a WordPress site. You can use it to call WordPress functions and to define your own functions.

Force Login was built specifically to be lean and lightweight, with only one purpose–?to force unauthorized visitors to login or authenticate before gaining access to the website.

This plugin was built with developers in mind by excluding an admin panel with options and all the extra code/database bloat that comes with that. Instead, it offers hooks to allow developers to alter the default plugin functionality to suit their needs via their theme’s functions.php file.

I’m sorry your other plugins using the REST API do not follow best practices and properly authenticate themselves. If they had, Force Login would not have interfered because it checks for authentication before blocking access to the API.

An example of how a plugin could authenticate itself can be seen in the following WordPress core implementation:
https://github.com/WordPress/WordPress/blob/587da39a9e0eaea37e5f45323be0ede19d72f974/wp-includes/rest-api.php#L733-L791

Might I suggest you ask the other plugin creators to authenticate their API calls to the WordPress REST API? This would be consistent with core handling and possibly mitigate any potential future conflicts with others.

Thanks for using Force Login!

Okay bud I really don’t have time to waste on reading your response since it’s filled with a bunch of garage that your using to make a point. Plugins are and extension of WordPress not necessarily a hack, if you start telling people to edit there functions.php then when an update comes around for the theme… oh everything is gone. Your response to that is oh well make a child theme. aka HACK. If you extend the ability of the WordPress, by giving the user the ability to turn it on/off then there wouldn’t be a problem. I wonder if you lack the time or knowledge to do this. You causes this issue by and update so really the true issue was caused by your code/extension you made to the plugin after the fact. Working just fine before you decided to change the functionally of your plugin.

I’m sorry your other plugins using the REST API do not follow best practices and properly authenticate themselves. If they had, Force Login would not interfere because it checks for authentication before blocking access to the API.

Who are you say that other plugins don’t follow best practices lol. Have you reviewed the code of all REST API plugins. I won’t be responding to you anymore due to the fact that I’ll be turning off notifications/follow up’s to this thread so I don’t get email alerts of this silly issue that your update caused.

Hiya @bikecrazyy and @kevinvess,

So it looks like everyone’s a little bit right here ??

A child theme isn’t a hack, it’s the recommended approach if you wish to make custom changes or additions to a theme while avoiding losing those changes with the next WordPress update.

A plugin also works just as well in this case, preferably as a Must-Use plugin if it’s required functionality.

Both approaches are functional, valid, and perfectly fine, use whichever one you as a user are comfortable with.

—

I will, however, issue you a warning @bikecrazyy. Your replies are becoming gradually more riled up it seems. Please take a moments break, have a cup of your beverage of preference and watch the rain (that’s my approach to stressful days at least ?? ).

Thanks @kevinvess, that worked. I agree @clorith that a child theme is not a hack, it’s actually a best practice.

@kevinvess i am having trouble bypassing the gravityformsapi from a child site on a multisite install with force login active.

Whats weird is i can reach the gravityformapi from a child site to my main site but not vs versa (from main site to child site). i also tried your adding your suggestion with no luck –

remove_filter( 'rest_authentication_errors', 'v_forcelogin_rest_access', 99 );

On main site (/) and the child site (/site2) i have the following in my functions.php as they both have there own child theme –

function my_forcelogin_whitelist( $whitelist ) {
  // Filter specific pages
    $whitelist[] = site_url( '/' );
  // Get visited URL without query string
  $url_path = preg_replace('/\?.*/', '', $_SERVER['REQUEST_URI']);
  // whitelist any page URL within the specified directory and certain pages
  if ( in_array('gravityformsapi', explode('/', $url_path)) ) {
    $whitelist[] = site_url($_SERVER['REQUEST_URI']);
  }
  return $whitelist;
}
add_filter('v_forcelogin_whitelist', 'my_forcelogin_whitelist', 10, 1);

@bryanrego I may not be able to troubleshoot this, but I’m fairly certain the whitelist filter is not necessary. I suspect the issue is only related to the v_forcelogin_rest_access API filter.

Could you share what your code for the gravityformapi is?

Gravity Forms has documentation on their Web API and a section about Authentication:
https://docs.gravityforms.com/web-api/#authentication

I know you’re using a multisite install to communicate between the child and main sites–?but maybe you need to authenticate your requests using their authentication for external applications method?

I hope that helps and good luck!