search

airesvsg / acf-to-rest-api

Exposes Advanced Custom Fields Endpoints in the WordPress REST API
https://wordpress.org/plugins/acf-to-rest-api/
1.32k stars 111 forks source link

Need clarification on what show_in_rest / edit_in_rest are supposed to do #380

Open therealgilles opened 3 years ago

therealgilles commented 3 years ago

I see the two filters in the documentation. Does it mean that if they are set, only the fields with the options enabled in the backend should show / be editable through the REST API?

// Enable the option show in rest
add_filter( 'acf/rest_api/field_settings/show_in_rest', '__return_true' );

// Enable the option edit in rest
add_filter( 'acf/rest_api/field_settings/edit_in_rest', '__return_true' );

I have added the filters and I see some of the ACF fields show when doing a wp/v2/users request under 'acf', even though their options are not enabled. Is that expected?

lukas-hablitzel commented 3 years ago

Same problem here: Fields get displayed no matter what the "Show in REST API?" switch is set to.

grex22 commented 1 year ago

Couple years later, and this is still a pretty big bug. Our ACF fields can contain sensitive data, so this is a pretty nasty security hole. My issue is popping up on an ACF Options page, unsure if that matters..