Abusing the WordPress REST API
Earlier, I was playing around with the WordPress REST API and I was struggling to figure out why the WordPress function is_user_logged_in()
was not working with my custom endpoint. The function returns false
regardless of whether the user is logged in or not. Turns out, this is by design and I needed to send a nonce within my endpoint request. Doh.
Anyhow, before I figured this out (RTFM, Philip), I came up with a rather fugly workaround. The hack was to add an action to the rest_api_init
hook, call the is_user_logged_in()
function and set a global variable, which could then be accessed from within the endpoint. Now, I’m not sure I would recommend using this hack, but it did occur to me that there could be a scenario where it’s not possible to send a nonse with the request, in which case the only way to test if the user is logged-in would be within the endpoint’s code.
How bad am I?
Here is a way to disable the nonce requirement:
@Craig, nifty, I’ll give that a try. Thank you.