Restrict access to extranet pages via REST API #3
Description
Similar to how current floauth_filter_pre_get_posts works. defined( 'REST_REQUEST' ) can be used inside pre_get_posts to detect whether the query is a REST API request.
There are some difficulties though:
is_user_logged_in()does not work inpre_get_postsin REST requests as being logged in does not mean user is authenticated- is there a way to detect if it's an internal REST request? Implementing restriction for all REST requests would mean extranet pages wouldn't be shown f. ex. in block editor parent page selector
Might also consider simply emptying relevant fields (f. ex. content, excerpt) in the REST responses using rest_prepare_page filter instead of removing the pages from all results. But even this may have some undesired consequences and should be tested. This also does not empty any other fields (f. ex. plugin-specific fields) that might leak restricted content.