Contact Form Not Sending if User is Not Login

I noticed this showing on the log once I send a comment (unauthenticated) – wp-json/contact-form-7/v1/contact-forms/1130/feedback

What other plugins and theme do you use on the site?

Same problem here after upgrading to latest WordPress and CF. JS console states:
jquery.js?ver=1.12.4:4 POST https://www.foo.bar/wp-json/contact-form-7/v1/contact-forms/173/feedback 401 (Unauthorized)

That is for me due to an officially supported filter, which I added for security reasons (you might remember the dramatic rest security issues last year):
add_filter('rest_authentication_errors', array($this, 'restApiForLoggedInUsersOnly'));

    public function restApiForLoggedInUsersOnly($access)
    {
        if (!is_user_logged_in()) {
            return new \WP_Error(
                'rest_cannot_access',
                __('Only authenticated users can access the REST API.', 'disable-json-api'),
                array(
                    'status' => rest_authorization_required_code()
                )
            );
        }

        return $access;
    }

So you are relying on an API endpoint which might not be available.

Can we have an option to manually deactivate javascript on a form?

Hello @takayukister ! I apologized for the delay. Is there a way to send you screenshots via private message? Thanks!

BTW – The plugin Disable REST API is not a concern. I am not using this plugin.

@takayukister It seems I do not have to send my plugins list to you. I repeatedly deactivated my plugins ONCE MORE one by one and found a plugin that is although not directly conflicting with CF7, disabling one of its features “for testing purposes” confirmed the real cause of the contact form not sending for non-logged users.

This is the second time I deactivated the plugins and @kpapst [thank you for your good observation amigo!]) gave me an idea where to look. Well, I have two places where REST API authentication were enabled. I did it for security reasons.

During my first try of deactivating all plugins, contact form message is still not sending for unauthenticated users. The culprit is the REST API authentication set to enabled on my function file. After reading the comment by @kpapst, I removed this function to test. CF Still not working.

With that current setting, I then disable the plugins again and this time I isolated the issue was caused by another “Require authentication for access to the REST API” which was enabled on the Members plugin. When I unchecked this and sent a message on the contact form (while NOT LOGIN), the test was successful.

The thing is REST authentication is necessary. REST API has introduced couple of security issues and using authentication is deeply useful against malicious attacks.

Is there any way the latest CF7 4.9 can be adjusted back to where it is compatible with REST authentication? Or an option in the CF7 plugin to turn on/off authentication, something like the “subscribers_only: false” on the Additional Settings instead of “subscribers_only: true” which were introduced in CF7 4.8?

I’m just throwing thoughts here. You probably have a better idea and Thank you for creating an awesome plugin.

I stand corrected on my note above “subscribers_only: true” was introduced in CF7 4.9. I am eyeing to temporary downgrade to CF 4.7 while stable fix for REST Auth is not available yet for 4.9.

@takayukister thanks for this great plugin, sorry for not mentioning it earlier!
As the contact forms work with deactivated javascript, what do you think about an additional attribute on the [contact-form-7 rest_api=false] short code to deactivate the JS call?

Until there is a proper solution for users with deactivated rest api for anonymous user, I adjusted my security check to:

public function restApiForLoggedInUsersOnly($access)
{
    if (is_user_logged_in()) {
        return $access;
    }

    if (stripos($_SERVER['REQUEST_URI'], get_rest_url(null, 'contact-form-7')) !== false) {
        return $access;
    }

    return new \WP_Error(
        'rest_cannot_access',
        __('Only authenticated users can access the REST API.', 'disable-json-api'),
        array(
            'status' => rest_authorization_required_code()
        )
    );
}

I know its not a beauty … but my contact forms work again.

In my case it was because of Disable REST API plugin (disables the use of the JSON REST API on your website to anonymous users). When I disabled it, contact form was working again.

hi
this problem is for disable rest api.
you just:
1- go to setting item and select (disable rest api settings)
2- check mark this items:
contact-form-7/v1
/contact-form-7/v1/contact-forms
/contact-form-7/v1/contact-forms/(?P<id>\d+)
/contact-form-7/v1/contact-forms/(?P<id>\d+)/feedback
/contact-form-7/v1/contact-forms/(?P<id>\d+)/refill
3-save this settings

now you can sent form with contact form7 without loggin

I seem to have the same problem but do not understand how to implement your solution and was wondering if you could clarify them more for novices like myself. Fort example what is the setting item, how check mark items.

Thanks.

• This reply was modified 6 years, 6 months ago by chemdata.

Pls disregard my post asking “I seem to have the same problem but do not understand how to implement your solution and was wondering if you could clarify them more for novices like myself. Fort example what is the setting item, how check mark items.” as a friend pointed out my confusion.

Thanks.

Did you find the option (disable rest api settings)?

Yes. Thank you.

very good.

@bahmannik
I’m sorry, but I’ve the same problem, but do not find the option mentioned under point 1.

I’ve WordPress V4.9.8 and Contact Forms 7 V5.0.3