The idea of a private journal within WordPress is certainly intriguing, notwithstanding potential security caveats, so I decided to look at a more specific solution to just creating private posts.
As suggested yesterday I registered a custom post type to keep things separate from the blog. In doing so I added support for the REST API (so that I could still posts from Drafts) by adding
'show_in_rest' => true to the
This in turn creates a new API endpoint
/wp-json/wp/v2/journal instead of the usual
/posts so I updated the Drafts action accordingly.
Next I added an additional menu item only visible when
is_user_logged_in() is true.
And that's it, that's all it needs.
Adding REST API support is obviously not required if not posting via this method so excluding
show_in_rest or explicitly setting it to false cuts off this potential avenue of access.
To retain posting support I'm also looking at the possibility of redirecting just the GET method to a custom callback.