最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

rest api - Setting ?context=edit results in rest_forbidden_context, even for an Administrator user

programmeradmin3浏览0评论

I'm an Administrator role user. When I'm using the REST API, if I attempt to call

GET /wp-json/wp/v2/posts?context=edit

I get this error message:

401 Unauthorized : [rest_forbidden_context] Sorry, you are not allowed to edit posts in this post type.

Similar errors are generated for pages queries as well. If I query:

GET /wp-json/wp/v2/users?context=edit

I get a slightly different error message:

401 Unauthorized : [rest_forbidden_context] Sorry, you are not allowed to list users.

I can use the same API endpoints with ?context=view with no problem, but I'd like to be able to view the posts and page content without shortcode expansion, so it's my understanding that I need to query against edit context.

Again, I have the administrator role on the server and can log into the dashboard and edit any post, so I don't think it's a user permission issue with my userid. Any ideas on what might be causing the error?

Some additional details: My server version: 5.5.3 Accessing the API using the wordpress_json library for Python (which under the hoods uses requests' Basic Authentication headers)

I'm an Administrator role user. When I'm using the REST API, if I attempt to call

GET /wp-json/wp/v2/posts?context=edit

I get this error message:

401 Unauthorized : [rest_forbidden_context] Sorry, you are not allowed to edit posts in this post type.

Similar errors are generated for pages queries as well. If I query:

GET /wp-json/wp/v2/users?context=edit

I get a slightly different error message:

401 Unauthorized : [rest_forbidden_context] Sorry, you are not allowed to list users.

I can use the same API endpoints with ?context=view with no problem, but I'd like to be able to view the posts and page content without shortcode expansion, so it's my understanding that I need to query against edit context.

Again, I have the administrator role on the server and can log into the dashboard and edit any post, so I don't think it's a user permission issue with my userid. Any ideas on what might be causing the error?

Some additional details: My server version: 5.5.3 Accessing the API using the wordpress_json library for Python (which under the hoods uses requests' Basic Authentication headers)

Share Improve this question edited Nov 9, 2020 at 22:10 William McVey asked Nov 9, 2020 at 22:02 William McVeyWilliam McVey 1352 silver badges6 bronze badges
Add a comment  | 

1 Answer 1

Reset to default 2

Clearly your administrator is unable to modify those posts according to the roles and capabilities system.

This is the code that is generating that error in WP_REST_Post_Types_Controller:

    public function get_items_permissions_check( $request ) {
        if ( 'edit' === $request['context'] ) {
            $types = get_post_types( array( 'show_in_rest' => true ), 'objects' );

            foreach ( $types as $type ) {
                if ( current_user_can( $type->cap->edit_posts ) ) {
                    return true;
                }
            }

            return new WP_Error(
                'rest_cannot_view',
                __( 'Sorry, you are not allowed to edit posts in this post type.' ),
                array( 'status' => rest_authorization_required_code() )
            );
        }

        return true;
    }

So the user your python application is interacting as, does not have the edit_posts capability. Assuming it was succesfully authenticating.

What I think has happened here is that you are making unauthenticated requests, under the assumption they are authenticated. Somewhere along the line a mistake was made, perhaps a header is not being applied to your requests, etc.

Either way, what you describe is normal behaviour for an unauthenticated client. I would take a closer look at your python library. For something as simple as basic auth REST API a generic REST API library may be more appropriate and reliable.

Also keep in mind it's not enough to use basic authentication, a plugin needs to be installed and activated at the WP end. WP 5.6 also adds application password support as a more secure alternative

发布评论

评论列表(0)

  1. 暂无评论