Non-existent pages being blocked

[itzteajay-glitch]

Hi folks, I've been setting up authorizer on my site and found that page privacy section is blocking pages I cannot locate like the API. This would be totally fine if I was able to override it like the other pages but these particular pages do not show up.

https://hoth.social/wp-json/tribe/events/v1

I've already made the "Nonexistent (404) Pages item public to allow me to see some endpoints but the one above just doesn't seem to be covered by anything in there.

[itzteajay-glitch]

Also to note the issue is an events endpoint is being blocked and when click the bubble "Everyone can see the site" the endpoint is accessible to the public again. So I did my due diligence in narrowing it down to Authorizer.

[figureone]

A couple options here. Previous relevant threads:
https://wordpress.org/support/topic/authorizer-and-event-calendar-view-change-issue/
https://wordpress.org/support/topic/authorizer-blocking-events-plug-in/

AFAIK there is still an issue with Events Calendar where they don't send authentication headers with their REST requests, so all requests are seen as anonymous (and thus blocked by Authorizer if configured to restrict access to logged in users).

In your case, if you want to restrict access to the site to logged in users, but have the Events Calendar content public, there should be two options:

1. Hook into tribe_events_views_v2_rest_endpoint_available to disable the REST API and fall back to AJAX (which Authorizer won't restrict): https://wordpress.org/support/topic/authorizer-blocking-events-plug-in/#post-17850246
2. Hook into authorizer_has_access to inspect WordPress query variables to detect when the specific REST API request is happening, and allow access: https://github.com/uhm-coe/authorizer/blob/master/src/authorizer/class-authorization.php#L518-L536