[wp-trac] [WordPress Trac] #57829: Post "Read" Capability for Rest API
WordPress Trac
noreply at wordpress.org
Thu Jul 20 17:58:58 UTC 2023
#57829: Post "Read" Capability for Rest API
-------------------------------+------------------------------
Reporter: juvodesign | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Posts, Post Types | Version:
Severity: normal | Resolution:
Keywords: | Focuses: rest-api
-------------------------------+------------------------------
Changes (by grayscale):
* focuses: => rest-api
* component: General => Posts, Post Types
Comment:
I would also agree.
I would go farther and say that the requirement of setting "show_in_rest"
to true as a means to enable the Gutenberg editor on CPTs has probably led
many developers to unintentionally expose private post types data via the
REST API.
I don't understand the connection with enabling the post type to be
visible in the rest API, with enabling the Gutenberg editor.
I've tried setting the following options to prevent CPTs from being
visible when Gutenberg is also enabled, but none prevent visibility:
'public' => false,
'has_archive' => false,
'publicly_queryable' => false,
'exclude_from_search' => false
This seems like a security concern to me. I've personally needed to write
additional code to disable the rest API output for a given CPT, that I
also want Gutenberg to be enabled on.
I think enabling the Gutenberg editor on a CPT should be a separate
option. Though I guess it is too late for that!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57829#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list