plugins - How can I add a permissions callback to the REST API index pages?

I'd like to block unauthenticated users from accessing the index JSON pages, such as /wp-json and /wp-json/myplugin/v1. Is there a way for me to do this? I currently just have everything except the login page blocked for all unauthenticated users, but there are a few other pages I'd like to add and I don't want to end up with a long whitelist to maintain.

I'd like to block unauthenticated users from accessing the index JSON pages, such as /wp-json and /wp-json/myplugin/v1. Is there a way for me to do this? I currently just have everything except the login page blocked for all unauthenticated users, but there are a few other pages I'd like to add and I don't want to end up with a long whitelist to maintain.

• plugins
• rest-api

Share Improve this question asked Jun 6, 2019 at 16:59 KennyKenny 10111 bronze badge 3

• 1 Note that those pages only list the endpoints that the user has access to, if you make all the endpoints under wp-json/myplugin/v1 require a login, then nothing will be listed to logged out users, that route may not even be accessible. So if your goal is to conceal endpoints to users who shouldn't be using them, then the REST API already does that, you just need to secure your endpoints – Tom J Nowell ♦ Commented Jun 6, 2019 at 17:18
• I just successfully viewed all endpoints in a private window with no login. Nearly all of them have permission_callbacks that require a user to be logged in. – Kenny Commented Jun 6, 2019 at 19:33
• and visiting those endpoints without being logged in works? – Tom J Nowell ♦ Commented Jun 7, 2019 at 0:19

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

I no longer have access to the code where I eventually solved this, but the filters rest_endpoints_description and rest_route_data were almost certainly involved. https://developer.wordpress.org/reference/classes/wp_rest_server/get_data_for_routes/