Title: Blocking some REST API endpoints Last modified: September 21, 2020 --- # Blocking some REST API endpoints * [chantaspell](https://wordpress.org/support/users/chantaspell/) * (@chantaspell) * [5 years, 8 months ago](https://wordpress.org/support/topic/blocking-some-rest-api-endpoints/) * Hi Been trying to get this to work for ages! * I am creating a REACT app that uses wordpress as a backend through the rest API. I want registered users to be able to create/edit/view their own posts via the`/ wp/v2/posts/POST_ID` endpoint, but for that endpoint to be hidden for everyone else and not logged in users. * I figured I could achieve this if I set my registered users to “Contributor” or “Author” and used `current_user_can( 'edit_post', $post->ID )` to control access to the end points by doing something like: * ``` if ( is_user_logged_in() ) { add_filter( 'rest_authentication_errors', function( $result ) { if ( ! current_user_can( 'edit_post', $post->ID ) ) { return new WP_Error( 'rest_not_admin', 'You are not entitled to view that.', array( 'status' => 401 ) ); } return $result; }); } else { // user is logged out -block endpoints add_filter( 'rest_endpoints', function( $endpoints ){ if ( isset( $endpoints['/wp/v2/posts'] ) ) { unset( $endpoints['/wp/v2/posts'] ); } if ( isset( $endpoints['/wp/v2/posts/(?P[\d]+)'] ) ) { unset( $endpoints['/wp/v2/posts/(?P[\d]+)'] ); } return $endpoints; }); } ``` * This keeps the not-logged-in users out, but it doesn’t allow logged-in users to view their own posts. If change it to `current_user_can( 'edit_posts')` logged in users can see all posts. * Any idea how I could achieve this? * Many thanks! Viewing 2 replies - 1 through 2 (of 2 total) * Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/) * (@bcworkz) * [5 years, 8 months ago](https://wordpress.org/support/topic/blocking-some-rest-api-endpoints/#post-13445559) * It’s normal for users to be able to see others posts, so working off capabilities doesn’t really help much. Try restricting returned posts by qualifying the query through “pre_get_posts” action. Set the “author” query var to that of the current user. You probably should check if constant `REST_REQUEST` is `true` before setting anything through this action. * Thread Starter [chantaspell](https://wordpress.org/support/users/chantaspell/) * (@chantaspell) * [5 years, 8 months ago](https://wordpress.org/support/topic/blocking-some-rest-api-endpoints/#post-13449294) * Thanks [@bcworkz](https://wordpress.org/support/users/bcworkz/), I’ll read up on pre_get_posts and see what I can figure out. Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Blocking some REST API endpoints’ is closed to new replies. * In: [Developing with WordPress](https://wordpress.org/support/forum/wp-advanced/) * 2 replies * 2 participants * Last reply from: [chantaspell](https://wordpress.org/support/users/chantaspell/) * Last activity: [5 years, 8 months ago](https://wordpress.org/support/topic/blocking-some-rest-api-endpoints/#post-13449294) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics