WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#18028 closed defect (bug) (wontfix)

wp.getAuthors user_email not returned for admin role

Reported by: jabowery Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: XML-RPC Keywords:
Focuses: Cc:

Description

The fix to the security hole with wp.getAuthors returning fields like user_email to unauthorized users was incorrect. The restriction on values returned from wp.getAuthors (and indeed any XMLRPC call) should be based on role rather than merely lopping them off for all roles.

Change History (2)

comment:1 SergeyBiryukov3 years ago

  • Component changed from General to XML-RPC

Related: [6498], #5534

comment:2 in reply to: ↑ description westi3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Replying to jabowery:

The fix to the security hole with wp.getAuthors returning fields like user_email to unauthorized users was incorrect. The restriction on values returned from wp.getAuthors (and indeed any XMLRPC call) should be based on role rather than merely lopping them off for all roles.

I disagree.

I think it is much better to return a constant list of attributes regardless of role than vary the response based on role.

Note: See TracTickets for help on using tickets.