Opened 9 months ago
Last modified 4 months ago
#57829 new enhancement
Post "Read" Capability for Rest API
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Posts, Post Types | Keywords: | |
| Focuses: | rest-api | Cc: |
Description
Posttypes with the public attribute set to false are still queryable through the rest api. Since it seems there is no other capability to check for a general read permission of posts and the 'show_in_rest' attribute is needed for the block editor and to make the post queryable by authenticated users, i think it makes sense to either introduce said "read_post" capability or to make rest api requests only query editable posts when the posttype has public set to false.
Not having the option to have a non-public posttypes and the rest api enabled at the same time without any further workaround seems unintuitive to me.
Change History (1)
Note: See
TracTickets for help on using
tickets.
I would also agree.
I would go farther and say that the requirement of setting "show_in_rest" to true as a means to enable the Gutenberg editor on CPTs has probably led many developers to unintentionally expose private post types data via the REST API.
I don't understand the connection with enabling the post type to be visible in the rest API, with enabling the Gutenberg editor.
I've tried setting the following options to prevent CPTs from being visible when Gutenberg is also enabled, but none prevent visibility:
'public' => false,
'has_archive' => false,
'publicly_queryable' => false,
'exclude_from_search' => false
This seems like a security concern to me. I've personally needed to write additional code to disable the rest API output for a given CPT, that I also want Gutenberg to be enabled on.
I think enabling the Gutenberg editor on a CPT should be a separate option. Though I guess it is too late for that!