WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#43359 closed enhancement (invalid)

REST API: /users accessible without authentication

Reported by: rdjong Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.9.4
Component: HTTP API Keywords:
Focuses: rest-api Cc:

Description

Hello,

On May 25, the new privacy law (GDPR: General Data Protection Regulation) will become into effect within the European Union.

At the moment, the REST API (GET /users) allows everyone to read out names without having to identify them. I believe that this does not comply with these new regulations.

Is it possible to add an option to the settings page for manage the REST-API-calls?

Thanks.

Change History (4)

#1 @dd32
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi @rdjong,

At the moment, the REST API (GET /users) allows everyone to read out names without having to identify them.

This is intentional, and AFAIK (I'm not a lawyer) does not break any GDPR regulations - at least, not by itself.

The /users API only lists already-public information about authors on a site, it does not list non-post-authors.
For Authenticated users who have the permission to list all users, it can be used to list *all* users - but when logged out, it'll only show authors.
The data exposed within the endpoint for authors is available through other means on WordPress sites (Author archive pages, author taglines, etc) - although not all themes will display this in a way that's readable (Hidden elements, HTML attributes, etc)

I unfortunately cannot find the previous ticket about this with extra details, but the endpoint as it exists today is required and doesn't display anything deemed private.
There do exist plugins to disable parts of the API, some security plugins do, but doing so is highly likely to break other API clients at some point.

#2 @rdjong
4 years ago

Thanks for the info @dd32! It was Just a little concern. :-)

This ticket was mentioned in Slack in #core-restapi by nerrad. View the logs.


3 years ago

This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.


3 years ago

Note: See TracTickets for help on using tickets.