Protect API endpoints
mjangda opened this issue · 2 comments
mjangda commented
When maintenance mode is enabled, we should make sure that REST API and XML-RPC endpoints are restricted to the proper capabilities as well.
mjangda commented
For REST API, can hook late into rest_authentication_errors and return an error if the requesting user does not have the proper caps. Something like:
add_filter( 'rest_authentication_errors', function( $result ) {
$required_capability = apply_filters( 'vip_maintenance_mode_required_cap', 'edit_posts' );
if ( ! current_user_can( $required_capability ) ) {
return new WP_Error( 'rest_forbidden', __( 'Sorry, you are not allowed to do that.' ) );
}
return $result;
}, 999 );