From 4001c9f88842c7c0399e4ac00e2b9425750bc555 Mon Sep 17 00:00:00 2001
From: Jeremy Felt <jeremy.felt@gmail.com>
Date: Thu, 29 Feb 2024 16:40:10 -0800
Subject: [PATCH] Hide private post type shadow terms in unauthed REST requests

Fixes #19
---
 includes/taxonomy.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/includes/taxonomy.php b/includes/taxonomy.php
index 6a30553..728048e 100644
--- a/includes/taxonomy.php
+++ b/includes/taxonomy.php
@@ -79,6 +79,12 @@ function register_taxonomy( string $post_type ): void {
 		'show_admin_column'  => true,
 	);
 
+	// If a post type is not publicly queryable and not visible in the REST API,
+	// we should not expose that post type's shadow terms to unauthorized users.
+	if ( false === $post_type_object->publicly_queryable && false === $post_type_object->show_in_rest && ! is_user_logged_in() ) {
+		$args['show_in_rest'] = false;
+	}
+
 	/**
 	 * Filter the arguments used to register a shadow taxonomy.
 	 *