[wp-trac] [WordPress Trac] #38691: REST API: Hide schema/args for site-customized endpoints unless authenticated
WordPress Trac
noreply at wordpress.org
Mon Nov 7 14:33:13 UTC 2016
#38691: REST API: Hide schema/args for site-customized endpoints unless
authenticated
--------------------------+-----------------------------
Reporter: jnylen0 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Migrated from https://github.com/WP-API/WP-API/issues/2895 - we should
consider hiding the list of site-registered custom settings from the
schema and endpoint arguments unless the requesting user has the
permissions necessary to actually use these arguments.
It seems unwise to publicly expose the list of non-core settings that a
site has added to the API for customization purposes; all this does is
expose information about custom code that the site is running.
I'm not sure whether this is truly a 'bug' but we should discuss it before
4.7.
Should we also do something similar for meta? Anywhere else?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38691>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list