query_vars['rest_route'], '/' ); $route = rtrim( $route, '/' ); if ( empty( $route ) ) { // This is when visiting /wp-json root $allow_rest_api_access = false; } elseif ( false !== strpos( $route, 'altcha/v1' ) || false !== strpos( $route, 'two-factor/1.0' ) || in_array( 'contact-form-7/wp-contact-form-7.php', get_option( 'active_plugins', array() ) ) && false !== strpos( $route, 'contact-form-7/' ) || in_array( 'the-events-calendar/the-events-calendar.php', get_option( 'active_plugins', array() ) ) && false !== strpos( $route, 'tribe/' ) ) { $allow_rest_api_access = true; } else { } $user = $this->get_user_for_rest_access_check(); if ( $user->exists() ) { $allow_rest_api_access = true; } if ( !$allow_rest_api_access ) { return new WP_Error('rest_api_authentication_required', __( 'The REST API has been restricted to authenticated users.', 'admin-site-enhancements' ), array( 'status' => rest_authorization_required_code(), )); } // Allow path: pass through unchanged so core's `true` is preserved. return $errors; } /** * User to evaluate for REST role allowlist. * * rest_cookie_check_errors (priority 100) may clear the current user when no REST nonce * is sent, so fall back to the logged-in auth cookie for role checks at priority 200. * * @since 8.8.2 * * @return \WP_User */ private function get_user_for_rest_access_check() { $user = wp_get_current_user(); if ( $user->exists() ) { return $user; } $user_id = wp_validate_auth_cookie( '', 'logged_in' ); if ( $user_id ) { $user = get_userdata( $user_id ); if ( $user instanceof \WP_User ) { return $user; } } return new \WP_User(0); } }