[wp-trac] [WordPress Trac] #40546: media endpoint should not be public in default installation

WordPress Trac noreply at wordpress.org
Sun Apr 23 13:33:49 UTC 2017


#40546: media endpoint should not be public in default installation
-------------------------+-----------------------------
 Reporter:  arkonisus    |      Owner:
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  REST API     |    Version:  4.7
 Severity:  normal       |   Keywords:
  Focuses:               |
-------------------------+-----------------------------
 While there is no status for media (#17255) or any other protection
 against downloading unpublished files it should also not be allowed to
 list the uploaded media via the /media/ REST API endpoint e.g.:
 https://de.wordpress.org/wp-json/wp/v2/media/

 Just think about a site owner who has uploaded some files for the next
 scheduled blog post or some information only accessible to certain users
 e.g. the pricelists for next month. Yes, everyone should know that this is
 not a very secure location but i'm not sure if most of the users (without
 technical background) do know this. Of course, the files are also
 accessible via the url parameter '?p=xxx', but with support of the REST
 API it is much more comfortable to browse the files of any website ...

 In my opinion there are two possible solutions:
 1. Every file gets also a status like other posts (#17255)
 2. The REST API is disabled per default so users have to enable it
 explicitly (#39806)

 I would prefer both of them, but firstly 2. because most of the sites
 don't really need the REST API. Respectively they only need it if the
 admin enables some stuff which will talk to the api and in that case the
 rest api could be anabled too.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40546>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list