Custom types in Rest API do not respect Access configuration

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun	Mon	Tue	Wed	Thu	Fri	Sat
-	7:00 – 14:00	7:00 – 14:00	7:00 – 14:00	7:00 – 14:00	7:00 – 14:00	-
-	15:00 – 16:00	15:00 – 16:00	15:00 – 16:00	15:00 – 16:00	15:00 – 16:00	-

Supporter timezone: Europe/London (GMT+01:00)

This topic contains 4 replies, has 2 voices.

Last updated by Nigel 1 year, 9 months ago.

Assisted by: Nigel.

Author

Posts

November 3, 2023 at 2:41 pm #2660211

julienD-8

Hi,

I have a custom Type with visitors without rights to read.

If I visit the page of an "adhesion-v1" as a visitor it's blocked. Ex : hidden link

But If I request the data with REST API, all data are exposed. Ex : hidden link

It can be considered as a data leak.

I check with all plugins disabled except Toolset. This issue is still present.

Can you help me ?

Another point, I don't know if it's related, but Application password are not handle in Rest API for this type. I check on /wp/v2/users/me or /wp/v2/posts it's related to my account with my application password. But in /wp/v2/adhesion-v1/ it's working like a visitor.

Best

November 3, 2023 at 8:43 pm #2660365

julienD-8

Another information, for the last point, I discovered it's working with Cookie authentication but not Basic Authentication with application password.

Still don't know if it's related.

November 6, 2023 at 12:24 pm #2661045

Nigel

Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+01:00)

Hi there

I tested this and found the same result: Access rules are not applied to REST requests, and unauthenticated REST requests will return details of posts that would be hidden if trying to visit the post URL.

I'm surprised this hasn't come up before.

The "solution" to prevent data leakage is to disable the REST API for this particular post type, but that doesn't help if you want authenticated users to be able to retrieve such posts via the REST API.

I'm checking with my colleagues to see if I am missing anything, and I'll get back to you.

November 6, 2023 at 12:36 pm #2661051

julienD-8

Hi,

I activated the plugin "Disable WP REST API" for now.

But if you publish a fix, I am very interested.

Best

November 6, 2023 at 12:53 pm #2661059

Nigel

Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+01:00)

It may not be necessary to add a plugin.

You can go to Toolset > Post Types and edit the post type in question.

Under the Options you can uncheck the option to "show in REST" to disable the REST API for this particular post type.

Note, the REST API is required for the Gutenberg block editor, it would be necessary to switch to use the Classic editor for this post type to be able to disable REST.