[wp-trac] [WordPress Trac] #43359: REST API: /users accessible without authentication
WordPress Trac
noreply at wordpress.org
Mon Feb 19 23:43:30 UTC 2018
#43359: REST API: /users accessible without authentication
-------------------------+-----------------------
Reporter: rdjong | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: HTTP API | Version: 4.9.4
Severity: normal | Resolution: invalid
Keywords: | Focuses: rest-api
-------------------------+-----------------------
Changes (by dd32):
* status: new => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
Hi @rdjong,
> At the moment, the REST API (GET /users) allows everyone to read out
names without having to identify them.
This is intentional, and AFAIK (I'm not a lawyer) does not break any GDPR
regulations - at least, not by itself.
The `/users` API only lists already-public information about authors on a
site, it does not list non-post-authors.
For Authenticated users who have the permission to list all users, it can
be used to list *all* users - but when logged out, it'll only show
authors.
The data exposed within the endpoint for authors is available through
other means on WordPress sites (Author archive pages, author taglines,
etc) - although not all themes will display this in a way that's readable
(Hidden elements, HTML attributes, etc)
I unfortunately cannot find the previous ticket about this with extra
details, but the endpoint as it exists today is required and doesn't
display anything deemed private.
There do exist plugins to disable parts of the API, some security plugins
do, but doing so is highly likely to break other API clients at some
point.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43359#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list