Make WordPress Core

Opened 9 months ago

Last modified 4 months ago

#57829 new enhancement

Post "Read" Capability for Rest API

Reported by: juvodesign's profile juvodesign Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Posts, Post Types Keywords:
Focuses: rest-api Cc:

Description

Posttypes with the public attribute set to false are still queryable through the rest api. Since it seems there is no other capability to check for a general read permission of posts and the 'show_in_rest' attribute is needed for the block editor and to make the post queryable by authenticated users, i think it makes sense to either introduce said "read_post" capability or to make rest api requests only query editable posts when the posttype has public set to false.

Not having the option to have a non-public posttypes and the rest api enabled at the same time without any further workaround seems unintuitive to me.

Change History (1)

#1 @grayscale
4 months ago

  • Component changed from General to Posts, Post Types
  • Focuses rest-api added

I would also agree.
I would go farther and say that the requirement of setting "show_in_rest" to true as a means to enable the Gutenberg editor on CPTs has probably led many developers to unintentionally expose private post types data via the REST API.

I don't understand the connection with enabling the post type to be visible in the rest API, with enabling the Gutenberg editor.

I've tried setting the following options to prevent CPTs from being visible when Gutenberg is also enabled, but none prevent visibility:
'public' => false,
'has_archive' => false,
'publicly_queryable' => false,
'exclude_from_search' => false

This seems like a security concern to me. I've personally needed to write additional code to disable the rest API output for a given CPT, that I also want Gutenberg to be enabled on.

I think enabling the Gutenberg editor on a CPT should be a separate option. Though I guess it is too late for that!

Note: See TracTickets for help on using tickets.