From d803e7d7498d45da15f025cd1d40734e7e9bceec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Szymoszek?= <michal.szymoszek@coditive.com>
Date: Thu, 4 Jul 2024 14:41:50 +0200
Subject: [PATCH] Block user rest

Blocks user REST API endpoint for not logged in users

Add textdomain
---
 app/Core/Setup.php | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/app/Core/Setup.php b/app/Core/Setup.php
index da9ee7a..8ef5a7f 100644
--- a/app/Core/Setup.php
+++ b/app/Core/Setup.php
@@ -41,4 +41,38 @@ public function setLoginLogo(): string
 
         return '';
     }
+
+    /**
+     * @filter rest_authentication_errors
+     */
+    public function disableDefaultEndpoints(\WP_Error|bool|null $access): \WP_Error|bool|null
+    {
+        $endpointsToRemove = [
+            '/wp/v2/users',
+        ];
+
+        if (! is_user_logged_in()) {
+            $currentEndpoint = $GLOBALS['wp']->query_vars['rest_route'] ?: '';
+
+            foreach ($endpointsToRemove as $toRemove) {
+                if (false !== stripos($currentEndpoint, $toRemove)) {
+                    if (is_wp_error($access)) {
+                        $access->add(
+                            'rest_forbidden',
+                            __('Sorry, you are not allowed to do that.', 'firestarter'),
+                            ['status' => rest_authorization_required_code()]
+                        );
+                    } else {
+                        return new \WP_Error(
+                            'rest_forbidden',
+                            __('Sorry, you are not allowed to do that.', 'firestarter'),
+                            ['status' => rest_authorization_required_code()]
+                        );
+                    }
+                }
+            }
+        }
+
+        return $access;
+    }
 }