WordPress.org

Making WordPress.org

Opened 11 days ago

Last modified 9 days ago

#4048 assigned defect

WordCamp.org: WordCamps with non-public statuses are exposed in REST API

Reported by: sippis Owned by: sippis
Milestone: Priority: normal
Component: WordCamp Site & Plugins Keywords: needs-patch
Cc:

Description

WordCamp REST API base (https://central.wordcamp.org/wp-json/wp/v2/wordcamps) exposes only WordCamps with public statuses. If you happen to know or guess post ID, you can still query singular camps that do have non-public statuses.

I guess we really shouldn't expose WordCamps in REST API, in favor of following the same practice as WordCamp REST API base.

Change History (2)

#1 @iandunn
9 days ago

Hmm, I'm curious why they're available by ID but not in the main list. Is there something in the code where we're explicitly removing them from the main list, and we just accidentally left them in the individual responses? Or were they accidentally removed from the main response as a side-effect of having custom statuses?

Similar to #4047, I personally prefer to err on the side of transparency unless there's a tangible privacy or security reason to make the data private.

#2 @sippis
9 days ago

Looks like WordCamps with private statuses are removed purposely from the main list, see changeset [4804]. In that changeset, Corey did set the main list to contain only public statuses and restricted fully private status listings (eg https://central.wordcamp.org/wp-json/wp/v2/wordcamps?status=wcpt-mtp-rejected).

Replying to iandunn:

Similar to #4047, I personally prefer to err on the side of transparency unless there's a tangible privacy or security reason to make the data private.

In my opinion, in this case, there might be a privacy reason. Unlike in meetup endpoint, WordCamp endpoint has custom fields added to the response. Those fields contain applicants name and w.org usernames, for example. Yeah, public application status report page does contain that information also but only for a limited period - public status reports don't.

Note: See TracTickets for help on using tickets.