WordPress /categories REST API endpoint not blocking

Hi,
I installed the “Application Passwords” plugin and your “Cerber” plugin.
They work fine together for most API endpoints.
But even when I BLOCK the API the following endpoints are still acessible to non-authenticated users:

wp/v2/categories
wp/v2/pages
wp/v2/posts

I know these endpoints are, by default, accessible for non-authenticated users, but my guess was that your plugin would block them too when I select:

[X] Block access to WordPress REST API except any of the following
[ ] Allow REST API for logged in users
[ Administrator Vendor ] Allow REST API for these roles
[ oembed ] Allow these namespaces

I may solve this problem including the code below in wp-config.php, but would be easier to use your plugin:

add_filter( 'rest_authentication_errors', function( $result ) {
    // If a previous authentication check was applied,
    // pass that result along without modification.
    if ( true === $result || is_wp_error( $result ) ) {
        return $result;
    }
 
    // No authentication has been performed yet.
    // Return an error if user is not logged in.
    if ( ! is_user_logged_in() ) {
        return new WP_Error(
            'rest_not_logged_in',
            __( 'You are not currently logged in.' ),
            array( 'status' => 401 )
        );
    }
 
    // Our custom authentication check should have no effect
    // on logged-in requests
    return $result;
});

Is this the normal behavior of your plugin or is it a bug ?
Thanks

• This topic was modified 4 years ago by siegmar.
• This topic was modified 4 years ago by Steven Stern (sterndata).