I had to trace through WordPress core and the REST API plugin code to fix this, but finally did it. The solution is described here.
The TL;DR of the solution is that the WP-API will ignore the content of the login cookie and assume an unauthenticated (logged out) request unless the correct value is given in the _wpnonce
HTTP GET
parameter (in the query string) or the HTTP_X_WP_NONCE
HTTP header. My JavaScript did not correctly include this. The corrected JavaScript method looks like this:
/**
* Checks for any new comments.
*/
var pollForNewComments = function () {
var url = api_base + '/comments&post=" + getPostId() + "&offset=" + getCommentCount()
+ "&_wpnonce=" + wpApiSettings.nonce;
jQuery.get(url, function (response) {
if (response.length) {
appendComments(response);
showNewCommentsNotice();
}
});
};
Note that adding the _wpnonce
parameter in the query string with the wpApiSettings.nonce
global JavaScript variable (which is added by the REST API plugin) fixes the issue for me.