Categories
Core

Force API Permissions

When using a REST-API, sometimes you don’t want all the routes to be available for public use and while CoCart is designed for the public, you may need a reason to restrict public use for certain routes.

Maybe you don’t support guest customers on your store so you need to restrict all the public routes.

Forcing API permissions doesn’t mean that only administrators or shop managers can access them. It’s not forced by user role. It just means that the routes can not be used unless the API is requested while being authenticated.

How do you force API permission?

It’s actually pretty easy. All you need to do is apply a filter based on the method of the routes you want to force permission on.

There are no parameters required. Just return an array of the API routes you wish to force permission on.

Filter name: cocart_api_permission_check_{method}

Replace {method} with get, post, put, delete or options. See example.

add_filter( 'cocart_api_permission_check_get', function() {
  return array(
  	'v1/count-items',
    'v2/cart/items/count',
    'v2/cart/totals',
    'v2/store'
  );
} );

This also works with the previous CoCart API and CoCart Pro. Just return the version of the API followed by the route. That’s it.