MarioFromBelgium

Hi,

Although I haven’t tested this 100% through but I have the impression this works like a charm. https://gist.github.com/danielbachhuber/8f92af4c6a8db784771c

Succes!
Mario

Hi again,

just noticed that, when requesting the ID endpoint, Paid Membership Pro changes the content of the restricted post with a custom message.

So this seems to be working, strange that it still returns the post-title and id of the author but ok I can live with this!

Regards,
Mario

Hi,

I have found so far two membership plugins that…partially do the job.

S2Membership and Paid Membership Pro both succeed in protecting posts when I make a request like:
https://www.mydomain/wp-json/wp/v2/posts

However they both don’t succeed in protecting the data when I make a request like:
https://www.mydomain/wp-json/wp/v2/post/ID (with ID is of a restricted post)

I start wondering whether the security check that wp rest api does is the same for both endpoints?

Any comments? Even better; solution?

Regards,
Mario

Hi,

Just installed version 2 of Rest Api.
Seems to work fine….except I still don’t find an easy way to prevent data-transfer without authentication.

I really really need help on this!

Regards,
Mario

Hi TheTyro,

Thx for your support! However it doesn’t seem to work in my case.
Does it work for you?

I have added one line to the core (NOT DONE I KNOW) of the api. Until next update I’m save.

I’m still blown away that such a fundamental functionality seems to be an (unsolvable) issue! (You could start wondering why!)

Don’t hesitate to post any other brilliant idea. Much appreciated!!

Regards,
Mario

Hi Devcri,

Not sure how I should feel. At one side I was happy that it doesn’t work for you either. I was starting to doubt myself because I can’t get it to work.

On the other side this shows there must be something wrong with what should be a basic functionality!

I’m hoping for Daniel Bachhuber to come back with some comments and if possible a durable solution.

In any case I have activated “disable-Json” plugin on my live server just in case the next update of the core installs WP-REST_API.

Regards,
Mario

Hi,

@raba and Kanif, did you finally found where to put prionkor’s script?

Grts,
Mario

Hi,

As mentioned already I can’t get it to work that ALL GET calls are only allowed for authenticated users.

I know this is my fault…I must be overlooking something!

Having said that I can’t understand why such an option is not standard available surtenly when WP-REST-API will become part of the core. That would mean that at “next” update of WP all WP-applications with protected data will become open for the public.

I just can’t understand why spending time on authentication security when it seems that a fool like me can’t get it’s data protected from non-authenticated visitors.

To me it seems that this is so basic that it should be dummy(that’s me) proof!

Grts,
Mario

Hi Devcri,

Do you mean that when you go to domain.tld/wp-json/posts/
you see an error message or other?

Is the filter from Daniel correct or did you change something?

I had given up on this because I have had no success at all on all three WP-applications I have running (All the same template!)
I tried to figure it out but I don’t see the problem.

Grts,
Mario

Hi Daniel,

Thx for the quick support!

I’m going through the documentation to find out how and where the filter-script needs to be.
Can you tell me where it needs to go or maybe direct me to the documentation that handles this sort of actions.

Thx!
Mario