WP REST API 为现有端点设置权限
WP REST API Set Permission for Existing Endpoints
我有一个自定义 post 类型 card,我通过 WP REST API 公开了它。
function register_card_post_type() {
$labels = array(
"name" => __( 'Cards', '' ),
"singular_name" => __( 'Card', '' ),
);
$args = array(
"label" => __( 'Cards', '' ),
"labels" => $labels,
"description" => "",
"public" => true,
"publicly_queryable" => true,
"show_ui" => true,
"show_in_rest" => true, // ADD TO REST API
"rest_base" => "cards", // ADD TO REST API
"has_archive" => false,
"show_in_menu" => true,
"exclude_from_search" => false,
"capability_type" => "post",
"map_meta_cap" => true,
"hierarchical" => false,
"rewrite" => array( "slug" => "card", "with_front" => true ),
"query_var" => true,
"menu_position" => 5,
"supports" => array( "title" ),
);
register_post_type( "card", $args );
}
add_action( 'init', 'register_card_post_type' );
似乎默认情况下,端点是 public。如何设置端点的身份验证要求,以便 GET /cards/ 需要身份验证 cookie 或 header?
在 API 手册中展示了如何编写自定义端点,但理想情况下是否有过滤器或挂钩可用于扩展自动生成的端点?
add_action( 'rest_api_init', function () {
register_rest_route( 'myplugin/v1', '/author/(?P<id>\d+)', array(
'methods' => 'GET',
'callback' => 'my_awesome_func',
'args' => array(
'id' => array(
'validate_callback' => 'is_numeric'
),
),
'permission_callback' => function () {
return current_user_can( 'edit_others_posts' );
}
) );
} );
您可以使用 rest_pre_dispatch 过滤器来检查 URL 并撤销未登录用户对该端点的访问权限:
add_filter( 'rest_pre_dispatch', function() {
$url = strtok($_SERVER["REQUEST_URI"],'?');
if ( !is_user_logged_in() &&
!in_array($url, array ( //using "in_array" because you can add mmultiple endpoints here
"/wp-json/cards",
))){
return new WP_Error( 'not-logged-in', 'API Requests to '.$url.' are only supported for authenticated requests', array( 'status' => 401 ) );
}
} );
这不是最佳解决方案,因为它将 运行 查询并过滤结果,但我一直在使用它,直到发现一种在查询之前阻止 API 访问的方法已执行。
我有一个自定义 post 类型 card,我通过 WP REST API 公开了它。
function register_card_post_type() {
$labels = array(
"name" => __( 'Cards', '' ),
"singular_name" => __( 'Card', '' ),
);
$args = array(
"label" => __( 'Cards', '' ),
"labels" => $labels,
"description" => "",
"public" => true,
"publicly_queryable" => true,
"show_ui" => true,
"show_in_rest" => true, // ADD TO REST API
"rest_base" => "cards", // ADD TO REST API
"has_archive" => false,
"show_in_menu" => true,
"exclude_from_search" => false,
"capability_type" => "post",
"map_meta_cap" => true,
"hierarchical" => false,
"rewrite" => array( "slug" => "card", "with_front" => true ),
"query_var" => true,
"menu_position" => 5,
"supports" => array( "title" ),
);
register_post_type( "card", $args );
}
add_action( 'init', 'register_card_post_type' );
似乎默认情况下,端点是 public。如何设置端点的身份验证要求,以便 GET /cards/ 需要身份验证 cookie 或 header?
在 API 手册中展示了如何编写自定义端点,但理想情况下是否有过滤器或挂钩可用于扩展自动生成的端点?
add_action( 'rest_api_init', function () {
register_rest_route( 'myplugin/v1', '/author/(?P<id>\d+)', array(
'methods' => 'GET',
'callback' => 'my_awesome_func',
'args' => array(
'id' => array(
'validate_callback' => 'is_numeric'
),
),
'permission_callback' => function () {
return current_user_can( 'edit_others_posts' );
}
) );
} );
您可以使用 rest_pre_dispatch 过滤器来检查 URL 并撤销未登录用户对该端点的访问权限:
add_filter( 'rest_pre_dispatch', function() {
$url = strtok($_SERVER["REQUEST_URI"],'?');
if ( !is_user_logged_in() &&
!in_array($url, array ( //using "in_array" because you can add mmultiple endpoints here
"/wp-json/cards",
))){
return new WP_Error( 'not-logged-in', 'API Requests to '.$url.' are only supported for authenticated requests', array( 'status' => 401 ) );
}
} );
这不是最佳解决方案,因为它将 运行 查询并过滤结果,但我一直在使用它,直到发现一种在查询之前阻止 API 访问的方法已执行。