Open therealgilles opened 3 years ago
Same problem here: Fields get displayed no matter what the "Show in REST API?" switch is set to.
Couple years later, and this is still a pretty big bug. Our ACF fields can contain sensitive data, so this is a pretty nasty security hole. My issue is popping up on an ACF Options page, unsure if that matters..
I see the two filters in the documentation. Does it mean that if they are set, only the fields with the options enabled in the backend should show / be editable through the REST API?
I have added the filters and I see some of the ACF fields show when doing a wp/v2/users request under 'acf', even though their options are not enabled. Is that expected?