Rest API and Metabox fields show/hide

This topic has 2 replies, 2 voices, and was last updated 3 years, 7 months ago by Nicholas Cox.

Viewing 3 posts - 1 through 3 (of 3 total)

Author

Posts
August 9, 2021 at 5:03 AM #30021

Nicholas Cox
Participant

Hi

I noticed that WordPress has alot of API endpoints and I came across the 'users' endpoint (wp-json/wp/v2/users) which exposes alot of sensitive data. I do understand that Metabox adds the fields to the API which is great, but I noticed that the default users data is exposed to visitors and hackers.

What is the best approach to managing this? is it best to disable all endpoints not being used and create new endpoints to control the data for visitors only? I need to use the API for visitors so its not like I can use the 'nonce'.

Or can I show/hide specific Metabox fields within the API?

or shall I add in authentication to access the API, like a API key?

Thanks, any help/advice would be great.

Add New Note to this Reply

August 9, 2021 at 11:30 AM #30041
Long Nguyen
Moderator
Hi,

It's not possible to show/hide specific Meta Box fields in the JSON data of REST API. I think you can restrict access to WP REST API within this code
```
add_filter( 'rest_authentication_errors', function( $result ) {
    // If a previous authentication check was applied,
    // pass that result along without modification.
    if ( true === $result || is_wp_error( $result ) ) {
        return $result;
    }

    // No authentication has been performed yet.
    // Return an error if user is not logged in.
    if ( ! is_user_logged_in() ) {
        return new WP_Error(
            'rest_not_logged_in',
            __( 'You are not currently logged in.' ),
            array( 'status' => 401 )
        );
    }

    // Our custom authentication check should have no effect
    // on logged-in requests
    return $result;
});
```
Refer to this topic https://stackoverflow.com/questions/32082922/restrict-access-to-wordpress-rest-api

Add New Note to this Reply
August 10, 2021 at 6:53 PM #30097

Nicholas Cox
Participant

great thanks, I'll check out the link.

Add New Note to this Reply
Author

Posts

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.