I’ve a contact-form plugin that requires entry to the remaining api. My unique settings have been to disallow entry to relaxation api aside from directors and editors.
Nonetheless, to permit the contact-form to work I have to take away relaxation api authentication for contact-form therefore I modified the authentication code such that authentication is not going to be required if request url contains the next string <wp-json/contact-form-7> [this string is part of the request url address, the full address is https://mywebsite.com/wp-json/contact-form-7/v1/contact-forms/18047]
My query is whether or not this can be a flawed methodology from a safety stand level and whether it is, is there a beneficial different.
Appreciating your suggestions
add_filter('rest_authentication_errors', operate ($errors) {
if (!is_wp_error($errors)) { // do nothing if there's already an error
if ($can_access = is_user_logged_in()) {
$roles = (array)wp_get_current_user()->roles;
$can_access = in_array('administrator', $roles); // permits solely the Administrator position
$can_access2 = in_array('editor', $roles); // permits solely the editor position
}
#*** Checking if url is for contact-form
international $wp;
$url_home22=home_url( $wp->request );
if (strpos($url_home22, 'wp-json/contact-form-7')) {
$contact_form=True;
}else{
$contact_form=False;
}
#*** If consumer is admin or editor or if url is contact type then enable entry to api, in any other case, deny entry
if (!$can_access and !$can_access2 and $contact_form==False) {
return new WP_Error('user_not_allowed',
'Sorry, you aren't allowed to entry the REST API.',
array('standing' => rest_authorization_required_code())
);
}
}
return $errors;
});