[wp-trac] [WordPress Trac] #49110: Add ability to lock/restrict public REST API access from WP Admin

WordPress Trac noreply at wordpress.org
Thu Jan 2 11:47:25 UTC 2020 

#49110: Add ability to lock/restrict public REST API access from WP Admin
-------------------------+------------------------------------------------
 Reporter:  apedog       |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  REST API     |     Version:
 Severity:  normal       |  Resolution:
 Keywords:               |     Focuses:  administration, rest-api, privacy
-------------------------+------------------------------------------------

Comment (by knutsp):

 The ambition to not let any very low end "developer/hacker" get any
 surprises about how content of an advanced publishing system for the
 internet gets acessible is very odd, IMO. Like an ostrich that buries it's
 head in the sand is not invisible.

 When first digging into WordPress, many years ago, I remember I was a bit
 surprised RSS feeds was also available for any archive, just by adding
 /feed to the URL. Should I have expected it not to, based on the fact that
 I had edited the template? I even deleted such template, but still the
 index.php took over. I understood one ting quit early: Must learn more, or
 else I don't know what I am really doing, so far.

 Replying to [comment:9 apedog]:

 > - WP Admin area ''must'' (IMO) afford to its user as much control of the
 REST API as it affords to robots.txt and the RSS feed.

 robots.txt is not enforcing restrictions.
 The options for feeds is just for convenience. To disable it you need a
 plugin.

 > - WP Admin area ''must'' (IMO) afford to its user as information about
 REST API as it gives about RSS.

 That's very little, and I don't think it belongs in the admin area for end
 users. To be educated in how WordPress works you must consult
 documentation.

 An overview of how content may be accessed through different interfaces
 and formats will be a good thing, if not already there. This may be linked
 to from admin.

 The goal of the REST API is to provide access not only public content, but
 for editing and administration.

 Properly and completely restricting access is a thing for dedicated
 plugins, like  membership, written be people who actually know what they
 are doing. Trying to make it correct that assuming what you can't see in
 browser by visiting exposed links of your site on not a way to go.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49110#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list