Rest api Restricted access not worked

Hi @amirassari2002

Thank you for reaching out!

That doesn’t show any content from the site; it just shows the list of available routes to be called.

Please let me know if this helps.

Best regards,
Shalom

Dear Shalom,

and what is Restricted api is doing? it seems all info is same as default rest api mode active.

Hi @amirassari2002

The default REST API settings get the?information from your site, including published posts, user details, and media library entries and make them available for public access.

However, the restricted access although shows the routes, will not include the information from your site.

Here’s a guide to assist with understanding more about the REST API feature: https://ithemes.com/security/wordpress-rest-api-restrict-access/

Please let me know if this helps.

Best regards,
Shalom

@shalomt

Dear Shalom,

You mentioned that the published posts . published posts on the website are publicly available. However, the iThemes restricted feature limits this accessibility and displays the user IDs of the website’s authors and editors, which are not accessible to the general public.

To view the user IDs of the admins and authors on the website, you can go to domain.com/wp-json/wp/v2/users.

This endpoint will provide you with plenty of user id regarding the admins and authors.

Best regards.

Hi @amirassari2002

Kindly note that if you are logged in as an admin user, you’ll get assess to the REST API when logged in. However, when logged out or by users with no access, you’ll get a message like:

{"code":"itsec_rest_api_access_restricted","message":"You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted by iThemes Security settings.","data":{"status":401}}

Please let me know how it goes.

hi @shalomt

main problem is here, on last version if user not logged in and restricted function is active, all info is shown and there is not below message:

{"code":"itsec_rest_api_access_restricted","message":"You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted by iThemes Security settings.","data":{"status":401}}

it seems restricted rest api function did not work in last version. you can test it simple. active restricted rest api and check domain.com/wp-json/wp/v2/users as guest user.

you will not get any 401 error.

Hi @amirassari2002

I can assure you that this is tested on the latest version. Please see the screen share https://share.getcloudapp.com/wbuLDelD

I’ll suggest clearing cache or cookies if any or reinstalling the plugin.

hi

i checked again

it seems routes are open and other sections are restricted.

such as domain.com/wp-json/wp/v2/ is open

domain.com/wp-json/wp/v2/ is restricted.

on old version all path related to wp-json was restricted. it’s changed on new versions?

Example when ithemes restricted is active:

domain.com/wp-json/ : open
domain.com/wp-json/wp: restricted
domain.com/wp-json/wp/v2 : open
domain.com/wp-json/wp/v2/user: restricted

however if we use customized function to restrict api access it will restrict all w-json rest api path.

add_filter( 'rest_authentication_errors', function( $result ) {
    if ( true === $result || is_wp_error( $result ) ) {
        return $result;
    }

    if ( ! is_user_logged_in() ) {
        return new WP_Error(
            'rest_not_logged_in',
            __( 'You are not currently logged in.' ),
            array( 'status' => 401 )
        );
    }

    return $result;
});

Hi @amirassari2002

I understand the concern, however, I can assure you that there are no important information in the accessible json links while the “Restricted” mode is enabled.

Hi there,

I hope the information provided helped resolve your issues. Given that we have not received a response, I will mark this post as resolved. If you still need some assistance, please feel free to open a new support topic, and we would be happy to assist.

Thank you!

Is there a way a 3rd party application can be authenticated to access the rest api? I’m developing an application and this limitation is stopping me for moving forward while your plugin is enabled.