Prevent CRUD of product variations via API.

  • Hello! Hopefully someone can help me with this API question.

    Im using the ‘woocommerce_rest_check_permissions’ filter to prevent users from the API from editing products that are not theirs. My development on this is working great so far, but Im trying to prevent users from editing variations of PRODUCTS that arent theirs and I cant make it work, the $object_id is always 0 for some reason.

    EXAMPLE: I have the product with id 500, this product belongs to someone else and I cannot touch it, HOWEVER, I can edit, create, list and delete variations from this product (products/500/variations/501, for example, and delete the variation), even though the parent product is not mine. How can I prevent this from happening ?

    Thank you in advance!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support RK a11n

    (@riaanknoetze)

    Hi there,

    How are you assigning products to a user though? I’m asking since the WooCommerce REST API doesn’t have an “owner” or “user” attribute that can be referenced for either the parent product nor individual variations (See https://woocommerce.github.io/woocommerce-rest-api-docs/#products).

    Thread Starter mauricionieto1994

    (@mauricionieto1994)

    @riaanknoetze Thank you for your reply. I enabled authorship of products via the “author” post_type_support. So whoever creates a product is the owner of the product. Then via the API I get the post author via the product ID and compare it with the current user logged of the API.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Prevent CRUD of product variations via API.’ is closed to new replies.