The plugin has a filter drh_allow_rest_api which determines whether the current user has full access and can skip the whitelist check. By default this is just is_user_logged_in()
:
/**
* Allow carte blanche access for logged-in users (or allow override via filter)
*
* @return bool
*/
private function allow_rest_api() {
return (bool) apply_filters( 'dra_allow_rest_api', is_user_logged_in() );
}
so we can hook that to clear the ‘is_user_logged_in’ flag if it’s an external_user:
function dra_disallow_external_users( $logged_in ) {
if ( $logged_in ) {
$user = wp_get_current_user();
if ( $user && in_array( 'external_user', $user->roles ) ) {
// Treat external_users as unauthenticated
// i.e. only allow access to whitelisted endpoints.
return false;
}
}
return $logged_in;
}
add_filter( 'dra_allow_rest_api', 'dra_disallow_external_users', 10, 1 );