[wp-trac] [WordPress Trac] #49110: Add ability to lock/restrict public REST API access from WP Admin
WordPress Trac
noreply at wordpress.org
Tue Dec 31 18:37:34 UTC 2019
#49110: Add ability to lock/restrict public REST API access from WP Admin
-------------------------+------------------------------------------------
Reporter: apedog | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version:
Severity: normal | Resolution:
Keywords: | Focuses: administration, rest-api, privacy
-------------------------+------------------------------------------------
Comment (by apedog):
> What makes REST API so special, or should WordPress just warn that it is
publishing platform?
Not every WordPress installation is a CMS. Some are small front-facing
HTML-only sites. Sites whose users/admins shouldn't be expected to deal
with REST and its risks.
It's not about telling the user "Oh btw, we're also exposing the data
through REST queries. Be careful. Study up. Maybe install a plugin".
A user should have the option to simply disable this from the Admin area.
This should be a core default option.
>All interfaces/formats/APIs, HTML, XML, JSON (RPC/REST) was introduced by
decisions, not options.
I've heard this and don't really know what it means. A decision might be
made as to the default options. That makes sense. But the ability to
control those options should be given to the user. Basic control through
the admin area. More granular control through code (the later, I believe,
exists. The former does not).
@TimothyBlynJacobs
First of all thank you for all the technical notes. However I didn't open
this ticket in order to fix/change REST on my installations. But as an
option that I believe should exist by default. To be used by site admins
without technical knowledge and without coding.
> only authors of posts that are shown in the Rest API are included.
Additionally, only their display name, URL, and bio are displayed.
That's still a lot. Consider a database created before the advent of REST
in WordPress. It might have outdated information. Or information the user
never expected to be released publicly. It does not appear on the front
HTML pages (theme templates). The user has no expectation of the
information being available publicly.
>>There may be GDPR concerns involved.
>Could you share an example of what these concerns would be? Only public
data is exposed by default.
Apologies. That should read as MAYBE (may, might). I don't know of any
myself. I wrote that as a discussion opening-point. If there are none -
then that point should be conceded.
>Only data that is also exposed in the theme and RSS.
Theme template files do not expose as much data as REST queries. And are
much more commonly tested - via the browser inspector and view-source
(ctrl+u) then REST APIs are. Editing theme templates requires minimal/low-
level technical knowledge (either of PHP or of WordPress core) and is very
common. The same cannot be said of REST and RSS.
If some of these concerns also affect RSS - then that should be addressed
too. I defer to those with better technical knowledge and suggest that's
out of the scope of this ticket.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49110#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list