I'm trying to setup a REST API on my Wordpress site but I keep getting a:
403 "rest_forbidden","message": "Sorry, you are not allowed to do that."
I have tried almost everything related to the .htaccess, file & folder permissions and code debugging but is seems to be in order.
I've noticed in Chrome DevTools on my REST request that I get this error:
Request URL: https://mysite/wp-json/agility/v1/body_reactions_exercise_submits/
Request Method: POST
Status Code: 403
Remote Address: 93.192.149.128:443
Referrer Policy: strict-origin-when-cross-origin
Which led me to think that the error is found here.
Response headers:
access-control-allow-credentials: true
access-control-allow-headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
access-control-allow-origin: https://mysite.dk
access-control-expose-headers: X-WP-Total, X-WP-TotalPages, Link
cache-control: no-cache, must-revalidate, max-age=0
content-type: application/json; charset=UTF-8
date: Mon, 07 Nov 2022 18:50:31 GMT
expires: Wed, 11 Jan 1984 05:00:00 GMT
link: <https://mysite.dk/wp-json/>; rel="https://api.w.org/"
server: Apache
simplycom-server: Apache
vary: Origin
x-content-type-options: nosniff
x-content-type-options: nosniff
x-robots-tag: noindex
x-wp-nonce: 4e1d47ebca
Request headers:
authority: mysite.dk
:method: POST
:path: /wp-json/agility/v1/body_reactions_exercise_submits/
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-GB,en;q=0.9,en-US;q=0.8,da;q=0.7
cache-control: no-cache
content-length: 39
content-type: application/x-www-form-urlencoded; charset=UTF-8
cookie: wf_loginalerted_deb7f1485ddd09882bf2b25862ac974db44f82cb0feb4afb7ac0dbeee3799b7b=4ff7d692ac9d5cb4526429c25da1fc5f6e3286dbba09472269b935b244bdcf30; wordpress_logged_in_673d309d9a05f5b76cf56a2a2ed5cfc7=su-admin-fll%7C1668019650%7CxFCQO4Nw6ul9VwbGAskysXfaf0y3a3ja7byhxPfK6XH%7C87853ea39548d983c701530c33c643c33f24bb068059eee2474fd2c1dd05d04b; wfwaf-authcookie-301c82f5ef5cb96a84d3b59d01978ec4=1%7Cadministrator%7Cmanage_options%2Cunfiltered_html%2Cedit_others_posts%2Cupload_files%2Cpublish_posts%2Cedit_posts%2Cread%7Cffd65b720d3f446ab3ad96e13abab2ad071e50d5df015313a664a9ec50ac84db; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse; wp-settings-time-1=1667846872
dnt: 1
manage_options: true
origin: https://mysite.dk
pragma: no-cache
referer: https://mysite.dk/test-page/agility/agility-body-reaction/
sec-ch-ua: "Microsoft Edge";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.35
x-requested-with: XMLHttpRequest
x-wp-nonce: 4e1d47ebca
My JS code looks like this:
$.ajax({
json/agility_body_reactions/v1/exercise_data_submits',
url: 'https://MySite.dk/wp-json/agility/v1/body_reactions_exercise_submits/',
method: 'POST',
beforeSend: function(xhr) {
xhr.setRequestHeader(
'X-WP-Nonce',
wpApiSettings.nonce );
},
data: {
gender: gender,
age: age,
minutes: minutes,
seconds: seconds
}
});
Can anybody figure out what is wrong?
I don't know much about CORS.
Thanks
Flemming
