I'm trying to setup a REST API on my Wordpress site but I keep getting a:
403 "rest_forbidden","message": "Sorry, you are not allowed to do that."
message
on both a normal user and also my administrator account.
I just don't get it.
I've tried to do my homework at read different articles on the matter and I've come to the conclusion that my users don't have the "manage_options" permission. Even the administrator and that is a puzzel for me as it should be granted as a standard.
I've tried to fix the error by following the 2 articles:
403 "rest_forbidden" error in WordPress REST API (but only for settings)?
I need some help!!!
My JS code looks like this:
$.ajax({
json/agility_body_reactions/v1/exercise_data_submits',
url: 'https://MySite.dk/wp-json/agility/v1/body_reactions_exercise_submits/',
method: 'POST',
beforeSend: function(xhr) {
xhr.setRequestHeader(
'X-WP-Nonce',
wpApiSettings.nonce );
},
data: {
gender: gender,
age: age,
minutes: minutes,
seconds: seconds
}
});
My Register Endpoint code looks like this:
add_action('rest_api_init', 'register_endpoint_body_reaction');
function register_endpoint_body_reaction()
{
register_rest_route(
'agility/v1',
'/body_reactions_exercise_submits/',
array(
'methods' => 'POST',
'callback' => 'callback_body_reaction',
'args' => array(
'age' => array(
'required' => true,
'validate_callback' => function($param, $request) {
return is_numeric( $param) and ! is_null( $param);
},
'sanitize_callback' => 'absint'
),
'minutes' => array(
'required' => true,
'validate_callback' => function($param, $request) {
return is_numeric( $param) and ! is_null( $param);
},
'sanitize_callback' => 'absint'
)
)
,
'permission_callback' => function() {
if ( !is_user_logged_in() ) {
return new WP_Error( 'Unauthorized', 'Sorry, but your not logged in...fll', array( 'status' => 401 ) );
}
}
)
);
}
My Enqueue Scripts code looks like this:
add_action( 'wp_enqueue_scripts', 'enqueue_js_body_reaction');
function enqueue_js_body_reaction()
{
if (!is_page('agility-body-reaction')) {
return;
}
wp_enqueue_script(
'agility_body_reaction',
plugins_url( '../js/agility_body_reaction.js', __FILE__ ),
array( 'jquery', 'jquery-ui-core' ),
AGILITY_BODY_REACTION_VERSION,
true
);
wp_localize_script(
'agility_body_reaction',
'wpApiSettings',
array(
'root' => esc_url_raw( rest_url() ),
'nonce' => wp_create_nonce( 'wp_rest' ),
)
);
}
So my questions are:
- How do I get the right permissions "manage_option" added to the users?
- The "manage_option" seem a lot of right to grant a normal user even if it is for a short time isn't there another way to run the REST API with just normal subscriber permissions?
Thanks.
Flemming
UPDATE!
I added some code to my Registre Endpoint Permission_callback:
if ( !current_user_can( 'manage_options' ) ) {
return new WP_Error( 'Unauthorized', 'Sorry, but you dont have the manage_options permissions...fll', array( 'status' => 401 ) );
}
I then tried the REST API with my admin & with the normal user.
The Admin gets a 403 which means it has the "manage_options" set. The normal user gets the above message which means it has no "manage_options set."
I guess this means that there are some other issue with my REST API. I still need to know how to enable the "manage_options" for a normal user though.
UPDATE!
I read in some articles that the .htaccess could create an "403 Forbidden" but I'm really not familiar with this file. I'm quite desperate so I'll post the .htaccess configuration.
# BEGIN Really Simple SSL Redirect 5.3.0
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
# END Really Simple SSL Redirect
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# Wordfence WAF
<IfModule LiteSpeed>
php_value auto_prepend_file '/var/www/<MySite>/public_html/wordfence-waf.php'
</IfModule>
<IfModule lsapi_module>
php_value auto_prepend_file '/var/www/<MySite>/public_html/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END Wordfence WAF
CodePudding user response:
I found the error.
The code with is_user_logged_in had an error.
'permission_callback' => function() {
if ( !is_user_logged_in() ) {
return new WP_Error( 'Unauthorized', 'Sorry, but your not logged in...fll', array( 'status' => 401 ) );
}
}
It should have logged like this:
'permission_callback' => function() {
return is_user_logged_in();
}
So all the code besides this works as it should for the cookie based authentication.