WordPress.org

Making WordPress.org

Opened 8 months ago

Last modified 3 months ago

#4047 assigned defect

WordCamp.org: meetups exposed in REST API

Reported by: sippis Owned by: sippis
Milestone: Priority: low
Component: WordCamp Site & Plugins Keywords: good-first-bug has-patch needs-testing
Cc:

Description

All the meetups regardless of their status, are exposed to the public in the REST API if you happen to know or guess the post ID.

Endpoint does not reveal any sensitive information and almost all the same details are exposed to the public in the meetup application status report page (https://central.wordcamp.org/reports/meetup-applications/). But I guess we really shouldn't expose meetups in REST API because of the status report page limits the visibility in some way (eg for the time period) and meetup REST API base (https://central.wordcamp.org/wp-json/wp/v2/meetups) returns an empty array?

Attachments (1)

4047.diff (6.2 KB) - added by sippis 4 months ago.

Download all attachments as: .zip

Change History (8)

#1 follow-up: @iandunn
8 months ago

Hmmm, I don't think I see any problem with these being available in the API. Unless there are privacy/security implications, I personally like to err on the side of transparency unless we have a tangible reason to make it private.

I think the limitations on the application status page were intended to make that page more usable for a specific purpose, rather than to prevent people from having access to the data.

Are there any downsides to leaving it public?

#2 in reply to: ↑ 1 @sippis
8 months ago

  • Priority changed from normal to low

Replying to iandunn:

Are there any downsides to leaving it public?

Not really that I can think of. The only far-fetched downside is if we end up making an internal tool leveraging REST AP, extending meetup response to contain sensitive meta and forgetting this endpoint exposure to the public.

This ticket was mentioned in Slack in #meta-wordcamp by iandunn. View the logs.


7 months ago

#4 @iandunn
7 months ago

  • Keywords good-first-bug added

Several contributors discussed this in Slack (see above) and agreed it would be a good idea :)

This ticket was mentioned in Slack in #meta-wordcamp by sippis. View the logs.


4 months ago

@sippis
4 months ago

#6 @sippis
4 months ago

  • Keywords has-patch needs-testing added; needs-patch removed

Patch copies the custom rest_controller_class from WordCamps to make the meetup REST API endpoint behave similarly to WordCamp endpoint, assuming that patch in #4048 is applied. Also sets default post statuses in rest_wp_meetup_collection_params filter, again similar to WordCamp cpt.

This ticket was mentioned in Slack in #meta-wordcamp by iandunn. View the logs.


3 months ago

Note: See TracTickets for help on using tickets.