If REST API is disabled form can’t be sent

  • Hi there,

    We have noticed today that now Contact Form 7 needs the REST API enabled to check the fields of a form and send the form.

    We run the plugin Disable REST API on many of our sites because we don’t need the REST API and we want to reduce security risks.

    Now we have noticed that when the plugin is enables (and therefore REST API disabled) after clicking on send nothing happens and the wheel keeps spinning.

    In the console we see following errors:

    Failed to load resource: the server responded with a status of 401 (Unauthorized)
/wp-json/contact-form-7/v1/contact-forms/9206/feedback

    and

    Failed to load resource: the server responded with a status of 401 (Unauthorized)

    If we click on either of them we get some more information:

    {"code":"rest_cannot_access","message":"Only authenticated users can access the REST API.","data":{"status":401}}

    That’s why we tried to disable the Disable REST API plugin and the form worked again.

    Is there a reason why you rely on the REST API which before was not needed?

    Can we disable the use of the REST API by Contact Form 7?

    Best regards from Spain.

    • This topic was modified 7 years, 5 months ago by netconsulting.
    • This topic was modified 7 years, 5 months ago by netconsulting. Reason: formatting
    • This topic was modified 7 years, 5 months ago by netconsulting.
Viewing 12 replies - 1 through 12 (of 12 total)

  • Hi @netconsulting,

    just noticed it right now!

    • This reply was modified 7 years, 5 months ago by Augusto Sim?o.

    +1 to this, we have the same problem!

    another point: if you limit WordPress access (only for logged users or for specífic pages), the REST API naturally gets blocked and CF7 doesn’t work too.

    I have another thread on this topic, but hopefully @takayukister will be able to advise us all on this shortly, he’s the expert. ??

    A. Albrecht

    (@alexander-albrecht)

    +1

    Hi guys! Any update here?

    Disabling the REST API entirely is not recommended because it will break future features of the WordPress admin that are being written to depend upon those endpoints — the usual recommendation is to require authentication for all requests, but in this case as you note, form requests may be coming from unauthenticated sources. I think my formal recommendation would be to just not disable the REST API, but I look forward to hearing from the plugin author about how things look from their side.

    Yeah, not disabling the REST API is not an option for me, my employer requires us to do that for security reasons. Surely there must be an actual fix?

    @gcasalett – did downgrading to version 4.7 not work for you? 4.7 does not rely on the REST API.

    In my case, the issue only happens on mobile (tested on latest iOS and Android).

    
VM165:1 POST https://www.mysite.org/wp-json/contact-form-7/v1/contact-forms/80/feedback 401 (Unauthorized)
(anonymous)	@	VM165:1
send	@	jquery.js?ver=1.12.4:4
ajax	@	jquery.js?ver=1.12.4:4
wpcf7.submit	@	scripts.js?ver=4.8.1:326
(anonymous)	@	scripts.js?ver=4.8.1:53
dispatch	@	jquery.js?ver=1.12.4:3
r.handle	@	jquery.js?ver=1.12.4:3
    • This reply was modified 7 years, 3 months ago by Duke.

    @tneville Sorry I missed this before — downgrading is not an option, our security team requires us to always be on the latest version.

    There really should be a fallback option to wp_ajax hook

    Lot of people have disabled the rest api. Me included

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘If REST API is disabled form can’t be sent’ is closed to new replies.