Abusing the WordPress REST API
Earlier, I was playing around with the WordPress REST API and I was struggling to figure out why the WordPress function
is_user_logged_in() was not working with my custom endpoint. The function returns
false regardless of whether the user is logged in or not. Turns out, this is by design and I needed to send a nonce within my endpoint request. Doh.
Anyhow, before I figured this out (RTFM, Philip), I came up with a rather fugly workaround. The hack was to add an action to the
rest_api_init hook, call the
is_user_logged_in() function and set a global variable, which could then be accessed from within the endpoint. Now, I’m not sure I would recommend using this hack, but it did occur to me that there could be a scenario where it’s not possible to send a nonse with the request, in which case the only way to test if the user is logged-in would be within the endpoint’s code.
How bad am I?