#49858 closed defect (bug) (worksforme)
REST API exposed user data
Reported by: | vinit86 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.7 |
Component: | REST API | Keywords: | has-privacy-review close |
Focuses: | rest-api | Cc: |
Description
https://spressforumstg.wpengine.com/wp-json/wp/v2/users/
0
id 1
name "Brian Gardner"
url "http://spressforumstg.wpengine.com"
description "Self-confessed Starbucks addict. Sarah McLachlan fan. Lover of WordPress. Nomad Theorist. Founder of StudioPress. Partner at Copyblogger Media."
link "https://spressforumstg.wpengine.com/author/brian-gardner/"
slug "brian-gardner"
avatar_urls
24 "https://spressforumstg.wpengine.com/wp-json/wpe-avatar/v1/user/1?s=24&d=mm&r=g"
48 "https://spressforumstg.wpengine.com/wp-json/wpe-avatar/v1/user/1?s=48&d=mm&r=g"
96 "https://spressforumstg.wpengine.com/wp-json/wpe-avatar/v1/user/1?s=96&d=mm&r=g"
meta []
Change History (4)
#2
@
4 years ago
- Component changed from General to REST API
- Milestone Awaiting Review deleted
- Resolution set to worksforme
- Status changed from new to closed
- Version set to 4.7
Yep @knutsp is correct, this is only info that would already be public in a standard WordPress install.
Additionally, it only exposes that data for users that have authored posts that appear in the REST API.
See also #49110.
#3
@
4 years ago
- Component changed from REST API to General
- Version 4.7 deleted
Hallo there, @vinit86
This issue has been debated on Slack before :)
If you are, for example, running a private membership site, where you do not want any information about your users displayed publicly, please post a question here:
https://wordpress.org/support/forum/how-to-and-troubleshooting/
There are several possible solutions to your concerns, but a Trac ticket is not the appropriate place to discuss them.
I am sure that the forum volunteers would be willing to discuss some of your options with you.
The good news is that the REST API team is working on a native basic authorization mechanism (so within core), but that is not ready yet.
All the best.
It seems to the same kind of public info as displayed on my site https://beta.nettvendt.no/author/knutsp/
Author info (slug, display_name, description and url) has always been public on WordPress. So it has nothing to do with REST API, but by design.