Complete Disable Verification

  • Resolved underfenex

    (@underfenex)


    8 years, 3 months ago

    Hi, first of all thanks for the plugin it made my day!

    1. When the user is not logged the plugin works well, but does the plugin also block the rest api for logged users?

    2. Is there a way to test that the plugin is working ok (no rest api for logged and non-logged users), because when testing as a logged user, without the plugin (mydomain.com/wp-json), I always get redirected and don’t know if the rest api is disabled.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Dave McHale

    (@dmchale)

    Hi @underfenex thanks for using the plugin!

    1) The plugin does not currently prevent any logged in users from accessing the REST API. This is intentional since some parts of the admin area in core are roadmapped for utilizing the REST API to function. Most sysadmins are okay with this anyway since the only people with accounts are admin users. However, I’m working on the best way to provide a more granular ability turning the REST API off for backend users depending on their role. No ETA on that yet, though, at the moment I’m attempting to survive the holidays ??

    2) What version of WordPress are you running? /wp-json should provide a response (without redirecting you) for anything version 4.4+. When NOT logged in and WITH this plugin running, you should see {"code":"rest_cannot_access","message":"Only authenticated users can access the REST API.","data":{"status":401}}. If you ARE logged in, you should see a JSON blob of information about your website. If that’s not the case, it’s possible another plugin is doing something else on your site? If you’ve already tried the usual “disable plugins, use a default theme” troubleshooting steps and you ARE using the latest version of WordPress already, then I would recommend using a service like https://web-sniffer.net/ and trying to see what the actual HTTP response is when you try and access the /wp-json path on your domain – perhaps seeing more information in the headers will shed some light on what’s happening.

    Good luck! Let me know if I can help.

    Thread Starter underfenex

    (@underfenex)

    @dmchal

    1. I’m testing an internal site with accounts, so every user has an account and muts be logged to access the website.

    2. I see the message, when I not logged:
    {"code":"rest_cannot_access","message":"Only authenticated users can access the REST API.","data":{"status":401}}

    3. Effectively one of my plugins is not allowing normal users nor admins to query the REST API, which is good, but do normal users with accounts (suscribers) can DELETE post? Do they have full permissions over the REST-API?

    I’m using:
    * PHP 7.0
    * WP 4.7

    • This reply was modified 8 years, 3 months ago by underfenex.
    Plugin Author Dave McHale

    (@dmchale)

    Subscribers will absolutely NOT have permissions to delete posts, whether they are in your web-based admin or if they attempt to use the content endpoints in the REST API, so you shouldn’t have any concerns there. That is taken care of by the built-in permissions of WordPress itself. The REST API will not grant any permissions to users that they would not normally have.

    All that this plugin does is ensure that anonymous users are ALWAYS given an authentication error, even if they are trying to access public endpoints that would not normally require authentication.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Complete Disable Verification’ is closed to new replies.