media endpoint should not be public in default installation

[arkonisus]

While there is no status for media (#17255) or any other protection against downloading unpublished files it should also not be allowed to list the uploaded media via the /media/ REST API endpoint e.g.: ​https://de.wordpress.org/wp-json/wp/v2/media/

Just think about a site owner who has uploaded some files for the next scheduled blog post or some information only accessible to certain users e.g. the pricelists for next month. Yes, everyone should know that this is not a very secure location but i'm not sure if most of the users (without technical background) do know this. Of course, the files are also accessible via the url parameter '?p=xxx', but with support of the REST API it is much more comfortable to browse the files of any website ...

In my opinion there are two possible solutions:

1. Every file gets also a status like other posts (#17255)
2. The REST API is disabled per default so users have to enable it explicitly (#39806)

I would prefer both of them, but firstly 2. because most of the sites don't really need the REST API. Respectively they only need it if the admin enables some stuff which will talk to the api and in that case the rest api could be anabled too.

[johnbillion]

Replying to arkonisus:

Just think about a site owner who has uploaded some files for the next scheduled blog post or some information only accessible to certain users e.g. the pricelists for next month.

It's worth mentioning here that media that is attached to a post (instead of uploaded to the media library directly) is correctly handled by the /media endpoint with regard to the status of its parent post. For example, if you upload a media file to a draft post, that media will not be exposed via the /media endpoint until the post is published.

[TimothyBlynJacobs]

Closing. We can't hide the media endpoint at this point and there already are existing controls to prevent media items from being publicized.