Making WordPress.org

Opened 4 months ago

Last modified 3 months ago

#4047 assigned defect

WordCamp.org: meetups exposed in REST API

Reported by: sippis Owned by: sippis
Milestone: Priority: low
Component: WordCamp Site & Plugins Keywords: needs-patch good-first-bug


All the meetups regardless of their status, are exposed to the public in the REST API if you happen to know or guess the post ID.

Endpoint does not reveal any sensitive information and almost all the same details are exposed to the public in the meetup application status report page (https://central.wordcamp.org/reports/meetup-applications/). But I guess we really shouldn't expose meetups in REST API because of the status report page limits the visibility in some way (eg for the time period) and meetup REST API base (https://central.wordcamp.org/wp-json/wp/v2/meetups) returns an empty array?

Change History (4)

#1 follow-up: @iandunn
3 months ago

Hmmm, I don't think I see any problem with these being available in the API. Unless there are privacy/security implications, I personally like to err on the side of transparency unless we have a tangible reason to make it private.

I think the limitations on the application status page were intended to make that page more usable for a specific purpose, rather than to prevent people from having access to the data.

Are there any downsides to leaving it public?

#2 in reply to: ↑ 1 @sippis
3 months ago

  • Priority changed from normal to low

Replying to iandunn:

Are there any downsides to leaving it public?

Not really that I can think of. The only far-fetched downside is if we end up making an internal tool leveraging REST AP, extending meetup response to contain sensitive meta and forgetting this endpoint exposure to the public.

This ticket was mentioned in Slack in #meta-wordcamp by iandunn. View the logs.

3 months ago

#4 @iandunn
3 months ago

  • Keywords good-first-bug added

Several contributors discussed this in Slack (see above) and agreed it would be a good idea :)

Note: See TracTickets for help on using tickets.