Merge pull request #11 from eighteen73/develop

Disable the /wp-json/wp/v2/users endpoint only when not admin
eighteen73 · Jun 4, 2024 · 16dcd35 · 16dcd35
2 parents 691e645 + 3ecdab3
commit 16dcd35
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/includes/classes/Security/DisableAPI.php b/includes/classes/Security/DisableAPI.php
@@ -35,11 +35,13 @@ public function setup() {
 	 * @return array
 	 */
 	public function disable_users( array $endpoints ): array {
-		if ( isset( $endpoints['/wp/v2/users'] ) ) {
-			unset( $endpoints['/wp/v2/users'] );
-		}
-		if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
-			unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
+		if ( ! is_user_logged_in() && ! is_admin() ) {
+			if ( isset( $endpoints['/wp/v2/users'] ) ) {
+				unset( $endpoints['/wp/v2/users'] );
+			}
+			if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
+				unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
+			}
 		}
 		return $endpoints;
 	}