Make WordPress Core

Opened 13 years ago

Closed 13 years ago

#18028 closed defect (bug) (wontfix)

wp.getAuthors user_email not returned for admin role

Reported by: jabowery's profile jabowery Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: XML-RPC Keywords:
Focuses: Cc:

Description

The fix to the security hole with wp.getAuthors returning fields like user_email to unauthorized users was incorrect. The restriction on values returned from wp.getAuthors (and indeed any XMLRPC call) should be based on role rather than merely lopping them off for all roles.

Change History (2)

#1 @SergeyBiryukov
13 years ago

  • Component changed from General to XML-RPC

Related: [6498], #5534

#2 in reply to: ↑ description @westi
13 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Replying to jabowery:

The fix to the security hole with wp.getAuthors returning fields like user_email to unauthorized users was incorrect. The restriction on values returned from wp.getAuthors (and indeed any XMLRPC call) should be based on role rather than merely lopping them off for all roles.

I disagree.

I think it is much better to return a constant list of attributes regardless of role than vary the response based on role.

Note: See TracTickets for help on using tickets.