Hide private post type shadow terms in unauthed REST requests

Fixes #19
happyprime · Mar 1, 2024 · 4001c9f · 4001c9f
1 parent 6c96cca
commit 4001c9f
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/includes/taxonomy.php b/includes/taxonomy.php
@@ -79,6 +79,12 @@ function register_taxonomy( string $post_type ): void {
 		'show_admin_column'  => true,
 	);
 
+	// If a post type is not publicly queryable and not visible in the REST API,
+	// we should not expose that post type's shadow terms to unauthorized users.
+	if ( false === $post_type_object->publicly_queryable && false === $post_type_object->show_in_rest && ! is_user_logged_in() ) {
+		$args['show_in_rest'] = false;
+	}
+
 	/**
 	 * Filter the arguments used to register a shadow taxonomy.
 	 *