Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#49858 closed defect (bug) (worksforme)

REST API exposed user data

Reported by: vinit86's profile vinit86 Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7
Component: REST API Keywords: has-privacy-review close
Focuses: rest-api Cc:

Description

Change History (4)

#1 @knutsp
4 years ago

  • Keywords close added
  • Version trunk deleted

It seems to the same kind of public info as displayed on my site https://beta.nettvendt.no/author/knutsp/

Author info (slug, display_name, description and url) has always been public on WordPress. So it has nothing to do with REST API, but by design.

#2 @TimothyBlynJacobs
4 years ago

  • Component changed from General to REST API
  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed
  • Version set to 4.7

Yep @knutsp is correct, this is only info that would already be public in a standard WordPress install.

Additionally, it only exposes that data for users that have authored posts that appear in the REST API.

See also #49110.

#3 @carike
4 years ago

  • Component changed from REST API to General
  • Version 4.7 deleted

Hallo there, @vinit86

This issue has been debated on Slack before :)

If you are, for example, running a private membership site, where you do not want any information about your users displayed publicly, please post a question here:
https://wordpress.org/support/forum/how-to-and-troubleshooting/
There are several possible solutions to your concerns, but a Trac ticket is not the appropriate place to discuss them.
I am sure that the forum volunteers would be willing to discuss some of your options with you.

The good news is that the REST API team is working on a native basic authorization mechanism (so within core), but that is not ready yet.

All the best.

#4 @carike
4 years ago

  • Component changed from General to REST API
  • Version set to 4.7
Note: See TracTickets for help on using tickets.