[wp-trac] [WordPress Trac] #49110: Add ability to lock/restrict public REST API access from WP Admin

WordPress Trac noreply at wordpress.org
Tue Dec 31 18:48:55 UTC 2019 

#49110: Add ability to lock/restrict public REST API access from WP Admin
-------------------------+------------------------------------------------
 Reporter:  apedog       |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  REST API     |     Version:
 Severity:  normal       |  Resolution:
 Keywords:               |     Focuses:  administration, rest-api, privacy
-------------------------+------------------------------------------------

Comment (by xkon):

 This is a really nice topic and thanks for bringing it up @apedog . I've
 also read the whole slack discussion but I'll add my thoughts here as
 slack is hard to keep discussions going as we're all on async mode :).

 First, let me just say that I do agree with @TimothyBlynJacobs and
 @SergeyBiryukov mentions that it wouldn't make much of a difference to
 disable public access to REST just for "copying" reasons. That can be done
 in various ways, others are easier others are harder, but the "damage" can
 be done at the end of the day.

 That being said I wouldn't go to the lengths of disabling all REST
 endpoints as some data are either way publicly available from the
 website's structure itself so it wouldn't make much of a difference, i.e.
 Posts/Pages :) .

 But I am interested to hear thoughts regarding Users.

 @TimothyBlynJacobs you mention:

 > Additionally, only their display name, URL, and bio are displayed.

 On a default setup as far as I'm aware there's more than that on /users/
 endpoint. We have ID, Name ( what is chosen for display), url, bio, slug
 (which should pretty much be the username in most occasions if not all) &
 Gravatar links.

 So IMHO, pushing out usernames & pictures, etc by default might be
 acceptable, but there should be a way of at least having that disabled or
 automatically follow the rules of a theme and website setup ( that could
 be hard :D ).

 As an example: a website might not be utilizing "authors" views via its
 theme and not mentioning anywhere how many or who the authors are. Since
 they have published a post or a page they are added on the REST endpoint,
 which goes "against" of what the site owner has tried to accomplish.

 Yes anyone could add a plugin to alter REST and how it works, there are
 plenty out there, but not everyone is aware about REST and that their site
 might still have aspects publicly available that they are trying to "hide"
 by altering their themes and not using /author/ templates.

 Do tell me if I'm missing the mark here though as I'm not aware if REST
 would actually hide anything of the above mentioned automatically etc :).

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49110#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list