REST API Post Type vs. “regular” post

  • The 4.7.1 release notes say, “The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean.”

    I’m a regular user of WP and am ignorant of the distinction between a “public post type” and one that specifies the use of the REST API.

    I have no special or custom post types among the sites I manage (that I know of). I create a post, and publish it. No known frills.

    Does the fix in 4.7.1 specified above now protect my users from “exposed user data”?

    Thanks in advance.

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hey @danw_wp! If you just use regular posts, nothing will be exposed through the API that isn’t already published and publicly visible on your site. If the post’s set to private, password protected, or restricted in any other way, it should be omitted from the API; only public data is exposed.

    The specific fix noted in the release notes was related to when somebody creates a Custom Post Type. For example if you made a “books” type to keep track of books you’d read, or something. With a custom type you can have finer-grained control of how it is exposed to the world, so I could have said, “yes, I want these books to be viewable as public URLs.” However, maybe I don’t want those to show up in the API for whatever reason. The issue that just got fixed was that if the custom post type was public, it would automatically be included in the REST API — when that was intended to be an opt-in.

    Hope this helps clarify!

    Thread Starter DanW_WP

    (@danw_wp)

    It does help. Thanks very much for the quick reply! Much appreciated!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘REST API Post Type vs. “regular” post’ is closed to new replies.

Tags