What is Permission callbacks in Wordpress?

Wordpressframework~5 mins

Permission callbacks in Wordpress

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

Permission callbacks check if a user can do something before allowing it. This keeps your site safe and controls access.

When creating a custom REST API endpoint and you want only certain users to access it.

When adding a new admin page and you want to restrict it to editors or administrators.

When registering a custom post type and you want to control who can edit or delete those posts.

When building a plugin that needs to check user roles before performing actions.

When you want to prevent unauthorized users from changing settings or data.

Syntax

Wordpress

register_rest_route( 'namespace/v1', '/route', array(
  'methods' => 'GET',
  'callback' => 'your_callback_function',
  'permission_callback' => 'your_permission_function',
));

The permission_callback is a function that returns true if the user can access, or false if not.

If you do not set permission_callback, WordPress will block access by default for security.

Examples

This example allows only users who can edit posts to access the endpoint.

Wordpress

function check_user_permission() {
  return current_user_can('edit_posts');
}

register_rest_route('myplugin/v1', '/data', array(
  'methods' => 'GET',
  'callback' => 'get_data',
  'permission_callback' => 'check_user_permission',
));

This example allows everyone to access the endpoint by always returning true.

Wordpress

register_rest_route('myplugin/v1', '/public', array(
  'methods' => 'GET',
  'callback' => 'public_data',
  'permission_callback' => '__return_true',
));

This example denies access to everyone by always returning false.

Wordpress

function deny_access() {
  return false;
}

register_rest_route('myplugin/v1', '/secret', array(
  'methods' => 'GET',
  'callback' => 'secret_data',
  'permission_callback' => 'deny_access',
));

Sample Program

This code creates a REST API endpoint at /wp-json/myplugin/v1/secret-message. Only users who can manage options (usually admins) can get the secret message. Others get a permission error.

Wordpress

<?php
function myplugin_permission_check() {
  // Only allow users who can manage options (usually admins)
  return current_user_can('manage_options');
}

function myplugin_get_secret_message() {
  return 'This is a secret message for admins only.';
}

add_action('rest_api_init', function () {
  register_rest_route('myplugin/v1', '/secret-message', array(
    'methods' => 'GET',
    'callback' => 'myplugin_get_secret_message',
    'permission_callback' => 'myplugin_permission_check',
  ));
});

OutputSuccess

Important Notes

Always use permission callbacks to protect your REST API endpoints.

Use WordPress functions like current_user_can() inside your permission callback to check user roles or capabilities.

If your permission callback returns false, WordPress sends a 403 Forbidden error automatically.

Summary

Permission callbacks control who can access REST API routes.

They return true to allow access or false to block it.

Use WordPress capability checks inside permission callbacks for security.