#43359 closed enhancement (invalid)
REST API: /users accessible without authentication
Reported by: | rdjong | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.9.4 |
Component: | HTTP API | Keywords: | |
Focuses: | rest-api | Cc: |
Description
Hello,
On May 25, the new privacy law (GDPR: General Data Protection Regulation) will become into effect within the European Union.
At the moment, the REST API (GET /users) allows everyone to read out names without having to identify them. I believe that this does not comply with these new regulations.
Is it possible to add an option to the settings page for manage the REST-API-calls?
Thanks.
Change History (4)
#1
@
7 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
This ticket was mentioned in Slack in #core-restapi by nerrad. View the logs.
5 years ago
This ticket was mentioned in Slack in #core-restapi by timothybjacobs. View the logs.
5 years ago
Note: See
TracTickets for help on using
tickets.
Hi @rdjong,
This is intentional, and AFAIK (I'm not a lawyer) does not break any GDPR regulations - at least, not by itself.
The
/users
API only lists already-public information about authors on a site, it does not list non-post-authors.For Authenticated users who have the permission to list all users, it can be used to list *all* users - but when logged out, it'll only show authors.
The data exposed within the endpoint for authors is available through other means on WordPress sites (Author archive pages, author taglines, etc) - although not all themes will display this in a way that's readable (Hidden elements, HTML attributes, etc)
I unfortunately cannot find the previous ticket about this with extra details, but the endpoint as it exists today is required and doesn't display anything deemed private.
There do exist plugins to disable parts of the API, some security plugins do, but doing so is highly likely to break other API clients at some point.