From 4001c9f88842c7c0399e4ac00e2b9425750bc555 Mon Sep 17 00:00:00 2001 From: Jeremy Felt <jeremy.felt@gmail.com> Date: Thu, 29 Feb 2024 16:40:10 -0800 Subject: [PATCH] Hide private post type shadow terms in unauthed REST requests Fixes #19 --- includes/taxonomy.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/includes/taxonomy.php b/includes/taxonomy.php index 6a30553..728048e 100644 --- a/includes/taxonomy.php +++ b/includes/taxonomy.php @@ -79,6 +79,12 @@ function register_taxonomy( string $post_type ): void { 'show_admin_column' => true, ); + // If a post type is not publicly queryable and not visible in the REST API, + // we should not expose that post type's shadow terms to unauthorized users. + if ( false === $post_type_object->publicly_queryable && false === $post_type_object->show_in_rest && ! is_user_logged_in() ) { + $args['show_in_rest'] = false; + } + /** * Filter the arguments used to register a shadow taxonomy. *