Opened 13 years ago
Closed 13 years ago
#18028 closed defect (bug) (wontfix)
wp.getAuthors user_email not returned for admin role
Reported by: | jabowery | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | XML-RPC | Keywords: | |
Focuses: | Cc: |
Description
The fix to the security hole with wp.getAuthors returning fields like user_email to unauthorized users was incorrect. The restriction on values returned from wp.getAuthors (and indeed any XMLRPC call) should be based on role rather than merely lopping them off for all roles.
Change History (2)
#2
in reply to:
↑ description
@
13 years ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
Replying to jabowery:
The fix to the security hole with wp.getAuthors returning fields like user_email to unauthorized users was incorrect. The restriction on values returned from wp.getAuthors (and indeed any XMLRPC call) should be based on role rather than merely lopping them off for all roles.
I disagree.
I think it is much better to return a constant list of attributes regardless of role than vary the response based on role.
Related: [6498], #5534