While working on a project where LearnDash LMS WordPress Plugin courses listing data needed to be fetched using LearnDash LMS REST API, I encountered following 403 response from API when you call the API with JWT Bearer Token for Authorization:
{
"code": "ld_rest_cannot_view",
"message": "Sorry, you are not allowed to view this item.",
"data": {
"status": 403
}
}
Upon further checking of LearnDash API documentation here:
List Courses
Query this endpoint to retrieve a collection of courses. The response you receive can be controlled and filtered using the URL query parameters below.DefinitionGET /ldlms/v2/sfwd-courses
Example Request$ curl https://example.com/wp-json/ldlms/v2/sfwd-courses
And review of plugins/sfwd-lms/includes/rest-api/v2/class-ld-rest-courses-controller.php controller class code, I found out that only admin user is allowed to access the courses listing data via endpoint, not standard WordPress users, not even those users who are enrolled in the groups for any courses.
A quick dirty solution is to allow standard WordPress users to access the data via endpoint permissions check by making following change, (but it is not recommended due to deletion & update, create endpoint permissions).
Open plugins/sfwd-lms/includes/rest-api/v2/class-ld-rest-courses-controller.php file and scroll down to the end of file,
Find >>>
if ( learndash_is_admin_user() ) {
Replace with >>>
if ( learndash_is_admin_user() || is_user_logged_in() ) {
You have to do it on two places in this file class-ld-rest-courses-controller.php.
You have to do this for all other controller endpoints if you intend to use them in same way. I tested it and it showed me data by making this change for standard WordPress user.
You can also use following code if you want only users to be in LearnDash group with this code>>
Find >>>
if ( learndash_is_admin_user() ) {
Replace with >>>
if ( learndash_is_admin_user() || learndash_is_user_in_group() ) {
But that is not a good solution for updating and deleting courses endpoints as it will allow all users to edit or delete courses but you can further add code there to restrict standard user’s create, update and delete calls.
Proper Solution to Get LearnDash LMS Courses Listing and other endpoints
A proper solution is to use JSON API User Plus WordPress plugin, call CPT endpoint and get the listing. You can also use Update CPT and delete CPT endpoints with proper permissions. You can get courses listing, update CPT and delete CPT using User Plus API.
Screenshot of LearnDash LMS Courses Listing using get_posts endpoint:
To get courses, https://domain.com/api/userplus/get_posts/?key=KEY-HERE&post_type=sfwd-courses
User Plus endpoints documentation here:
get_posts for custom posts type sfwd-courses https://www.parorrey.com/documentation/get_posts
delete_cpt for custom post type sfwd-courses https://www.parorrey.com/documentation/delete_cpt
update_cpt for custom post type sfwd-courses https://www.parorrey.com/documentation/update_cpt
and check more endpoints of JSON API User Plus WordPress Plugin to get, update and delete post meta.