Using REST API with per user resticted access to Custom Post Type

  • Hi,
    I’m trying to use REST API to allow access to custom post type per user account. here is my scenario.

    user can create custom post type with some personal data. currently on the site the user view only his own posts and cannot see others posts.
    i would like to use the REST API and allow users view their personal pots without exposing the others posts.
    is it possible?
    at the moment (while on the site i.e. the user is loged in, no API used) I limit the user view based on author id and loged in user. if there is a match only the spacific custom post type are displayed i.e. author match logedin user.

    can i do this using the REST API? if yes, how?

    Thanks,

    David

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator bcworkz

    (@bcworkz)

    How are you currently limiting the user view to his posts only? If it’s through the WP_Query methods some how, such as “pre_get_posts” action, then it would apply to API calls as well. The API goes through the same WP_Query process to get posts as a normal HTTP request would.

    If you are not altering the WP_Query to restrict views, that is what you need to do to restrict API requests.

    Thread Starter davidzohar

    (@davidzohar)

    @bcworkz
    Thank you so much for the information.

    I’m using “toolset views” plugin to allow for views based on filters i.e. Author is the current login user.

    Now I’m trying to allow selected vendors that have their own clients leverage my engine and have them allow their clients create posts on my site, read them and edit them directly from the vendor site.
    so I need to find a way to authenticate the vendor client before allowing access only to his account.

    the scenario is as follow:
    1. user login to a vendor (3rd party) application
    2. user want to get data from my website using the vendor application
    3. in the backend I invasion that the vendor application will do the fallowing
    3.a create an account for the user on my site – is it possible using the REST API?
    3.b vendor application get the user name and password for my website and store it for the client
    3.b vendor application create a custom post on my site with the user credentials
    3.c vendor application pull the custom post for the client and render it on the vendor application

    I want to prevent vendors seen other non vendor clients data. or someone read all the custom posts of other users just by changing author id in a query.

    any thoughts?

    David

    Moderator bcworkz

    (@bcworkz)

    Hmmm, it’s hard to give specific ideas because you are relying on a plugin I’m not familiar with. On a positive note, just about anything should be possible in theory. But getting there is not always straight forward. In fact, just about anything is possible through the API alone by utilizing custom endpoints.

    Adding users is a built in functionality of the API. The problem you are going to run into is authentication. Not just anyone or any app can add users. I could see apps initially authenticating as a vendor. Once the user is added, somehow vendor authentication is locked out and only user authentication is possible. This has some security concerns I’m not sure how to resolve. Security built into client apps is somewhat of an oxymoron in my mind. I don’t build apps, maybe it’s not a big deal.

    If authentication can be resolved, we’re back to how are user views currently restricted? It may all just work, or more coding is required. It depends on the toolset views plugin you are using. You should ask the author of the plugin if the filters work for API calls. Or setup your own testing to verify. If not, something else can be worked out.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Using REST API with per user resticted access to Custom Post Type’ is closed to new replies.