Closed JoryHogeveen closed 2 months ago
JoryHogeveen
commented
2 months ago @sc0ttkclark Even weirder. This access management is only available for Read mode, not Write. Even if you set a field as access-only for reading, writing is still allowed ??
I think this access feature should be done in the get and update handlers, nog during registering these fields. During registering the only option you have is to validate the user cookie, which is not REST related.
sc0ttkclark
commented
2 months ago Write isn't restricted because the person already has access to write to the whole object. This was designed as a way to restrict read but leave WP role/caps auth for the writes.
JoryHogeveen
commented
2 months ago Check, I'm almost done done with a patch for you to review.
sc0ttkclark
commented
2 months ago Fixed via #7341
Description
When you enable REST API but set the fields are "private" (requires authentication) they will not show when using application passwords.
After testing I've found that during REST initialization (when Pods registers it's fields) the function
is_user_logged_in()does not work for application passwords. Only in theget_callbackof a field will the application password user be authenticated. However, at that point the fields is already disabled.Version
3.2.6
Testing Instructions
See description and it should be clear! Add a field, enable REST API but only accessible for logged in users, test a call using an application password through (for example) Postman.
Screenshots / Screencast
No response
Possible Workaround
Non that I've found, other than enabling the fields publicly.
Site Health Information
No response
Pods Package
No response