[wp-trac] [WordPress Trac] #49110: Add ability to lock/restrict public REST API access from WP Admin

WordPress Trac noreply at wordpress.org
Tue Dec 31 19:09:50 UTC 2019 

#49110: Add ability to lock/restrict public REST API access from WP Admin
-------------------------+------------------------------------------------
 Reporter:  apedog       |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  REST API     |     Version:
 Severity:  normal       |  Resolution:
 Keywords:               |     Focuses:  administration, rest-api, privacy
-------------------------+------------------------------------------------

Comment (by TimothyBlynJacobs):

 > Not every WordPress installation is a CMS. Some are small front-facing
 HTML-only sites. Sites whose users/admins shouldn't be expected to deal
 with REST and its risks.

 What are the risks? A small front-facing HTML only site is the site that
 would be least impacted by the REST API. Since it is only exposing data
 that would already be public.

 > Theme template files do not expose as much data as REST queries.

 I think we have to be explicit here, what data is that? In a standard
 WordPress theme, I'm not sure what data is exposed that wouldn't already
 be exposed.

 > But the ability to control those options should be given to the user.
 Basic control through the admin area

 The way this has been done is through the use of dedicated plugins. An
 argument has to made as to _why_ the REST API in its current state is such
 a privacy risk that it must be easily disabled from the admin without the
 user of any plugins.

 > On a default setup as far as I'm aware there's more than that on /users/
 endpoint. We have ID, Name ( what is chosen for display), url, bio, slug
 (which should pretty much be the username in most occasions if not all) &
 Gravatar links.

 I think those are the same? Sorry what am I missing. The author ID and
 slug are already exposed publicly.

 > As an example: a website might not be utilizing "authors" views via its
 theme and not mentioning anywhere how many or who the authors are.

 We don't have an option in core to disable author archives. Even if the
 theme doesn't have custom author archive templates, you can still see the
 default templates, no?

 So if a theme is intentionally completing disabling author archives and
 templates, I'd expect them to disable it in the REST API as well. Are
 WordPress.org themes allowed to disable those templates?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49110#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list