I'm trying to build a SaaS app on the REST API. To do so, I need to block read access to posts that are created by users. Only the author should be able to retrieve their own posts via the /posts endpoint.

This seems like a common use case for the REST API. But I am having a devil of a time figuring out how to use map_meta_cap and user_has_cap to accomplish this. If a post status is publish, the API seems to bypass these filters.

My custom $post_type->public = false, but $post_type->show_in_json = true so that it can be exposed via the API. This way you can't go to mysite.com/?p=123 and access the post. However, you if you hit the /posts/123 endpoint the API will expose the post. It will disregard any do_not_allow capabilities required via map_meta_cap. I can even strip all capabilities from a user in user_has_cap and it will still show me the post.

As far as I can tell, it completely bypasses any current_user_can() checks for published posts, regardless of the $post_type->public value.

I'm new to map_meta_cap and really struggling with it, so maybe I'm missing something obvious. Is there another way that read access to others' posts of specific post types is supposed to be protected from the API?

For reference, here is the map_meta_cap filter I'm using which, if I understand it correctly, should block access to all posts. Instead I can still hit /posts/123 to retrieve any post with a publish status.

add_filter( 'map_meta_cap', 'my_map_meta_cap' ), 10, 4 );
function my_map_meta_cap( $required_caps, $current_cap, $user_id, $args ) {
    $required_caps[] = 'do_not_allow';
    return $required_caps;
}