Custom Posts / Block editor / Rest API / show_in_rest

  • When the REST API came along I noticed that I needed to set ‘show_in_rest’ => true when registering a Custom Post, just to get it to work with the block editor. I just discovered that this means that the info in those CP’s is exposed to the outside world through the REST API. This is highly undesirable, as some of the exposed info is for logged-in users only. Therefore I had to switch back to ‘show_in_rest’ => false

    Is there another way of getting CP’s to work with the block editor, without having the info exposed to the outside world through the REST API?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator bcworkz

    (@bcworkz)

    Show in rest is mandatory to be compatible with the block editor. What you can do though is hook ‘rest_prepare_post_type’ action and unset sensitive elements of the returned data when the user is not logged in.

    Thread Starter stilldreaming

    (@stilldreaming)

    Hi @bcworkz,

    Thanks for your reply. I’ll look into that and see if I can use that to shut the windows and draw the curtains around the database…

    I think a better way would haven been to have a second setting for each (custom) post where you can have:
    show_in_rest => false (default) / true
    use_block_editor => true (default) / false

    Right now the show_in_rest option is used for two things:
    . use this (custom) post in the REST API (which makes sense given the name of this option)
    . use the block editor for this (custom) post (which is a different thing).

    • This reply was modified 4 years, 6 months ago by stilldreaming.
    Moderator bcworkz

    (@bcworkz)

    Since the block editor is dependent upon the API, disabling the API will by inference disable (or at least break) the block editor. I get what you’re saying though and don’t entirely disagree, except the implementation would need to be different. Maybe more like
    'rest_allow_referer' => {all|self|none}
    so the object can be available to API requests from the same domain but not necessarily from other domains. Or something similar to .htaccess allow/deny directives perhaps.

    Thread Starter stilldreaming

    (@stilldreaming)

    I think your proposal makes sense. Something along those lines sounds like a way to go. Another thing is that I feel that access from outside should be off by default. Just to protect all those innocent site admins out there, that have no idea what is going on with their site.

    I do not have the energy now to start a thread and defend this thing talking to the core people. I may think otherwise tomorrow or next month. For now I’m just going to shut down the REST API for non-logged in users and see if it breaks anything worthwile. A crude solution, and not really my style, but for now I do not see a different way…

    @bcworkz, thanks for thinking with me.

    • This reply was modified 4 years, 6 months ago by stilldreaming.
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Custom Posts / Block editor / Rest API / show_in_rest’ is closed to new replies.