Opened 6 years ago
Closed 4 years ago
#4047 closed defect (bug) (reported-upstream)
WordCamp.org: meetups exposed in REST API
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | Priority: | low | |
Component: | WordCamp Site & Plugins | Keywords: | good-first-bug has-patch needs-testing |
Cc: |
Description
All the meetups regardless of their status, are exposed to the public in the REST API if you happen to know or guess the post ID.
Endpoint does not reveal any sensitive information and almost all the same details are exposed to the public in the meetup application status report page (https://central.wordcamp.org/reports/meetup-applications/). But I guess we really shouldn't expose meetups in REST API because of the status report page limits the visibility in some way (eg for the time period) and meetup REST API base (https://central.wordcamp.org/wp-json/wp/v2/meetups) returns an empty array?
Attachments (1)
Change History (10)
#2
in reply to:
↑ 1
@
6 years ago
- Priority changed from normal to low
Replying to iandunn:
Are there any downsides to leaving it public?
Not really that I can think of. The only far-fetched downside is if we end up making an internal tool leveraging REST AP, extending meetup response to contain sensitive meta and forgetting this endpoint exposure to the public.
This ticket was mentioned in Slack in #meta-wordcamp by iandunn. View the logs.
6 years ago
#4
@
6 years ago
- Keywords good-first-bug added
Several contributors discussed this in Slack (see above) and agreed it would be a good idea :)
This ticket was mentioned in Slack in #meta-wordcamp by sippis. View the logs.
6 years ago
#6
@
6 years ago
- Keywords has-patch needs-testing added; needs-patch removed
Patch copies the custom rest_controller_class
from WordCamps to make the meetup REST API endpoint behave similarly to WordCamp endpoint, assuming that patch in #4048 is applied. Also sets default post statuses in rest_wp_meetup_collection_params
filter, again similar to WordCamp cpt.
This ticket was mentioned in Slack in #meta-wordcamp by iandunn. View the logs.
6 years ago
This ticket was mentioned in Slack in #meta-wordcamp by coreymckrill. View the logs.
5 years ago
#9
@
4 years ago
- Resolution set to reported-upstream
- Status changed from assigned to closed
This ticket has been moved to GitHub https://github.com/WordPress/wordcamp.org/issues/661
Hmmm, I don't think I see any problem with these being available in the API. Unless there are privacy/security implications, I personally like to err on the side of transparency unless we have a tangible reason to make it private.
I think the limitations on the application status page were intended to make that page more usable for a specific purpose, rather than to prevent people from having access to the data.
Are there any downsides to leaving it public?