Opened 6 years ago
Closed 4 years ago
#4048 closed defect (bug) (reported-upstream)
WordCamp.org: WordCamps with non-public statuses are exposed in REST API
Reported by: | sippis | Owned by: | sippis |
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | WordCamp Site & Plugins | Keywords: | good-first-bug has-patch needs-testing |
Cc: |
Description
WordCamp REST API base (https://central.wordcamp.org/wp-json/wp/v2/wordcamps) exposes only WordCamps with public statuses. If you happen to know or guess post ID, you can still query singular camps that do have non-public statuses.
I guess we really shouldn't expose WordCamps in REST API, in favor of following the same practice as WordCamp REST API base.
Attachments (1)
Change History (11)
#2
@
6 years ago
Looks like WordCamps with private statuses are removed purposely from the main list, see changeset [4804]. In that changeset, Corey did set the main list to contain only public statuses and restricted fully private status listings (eg https://central.wordcamp.org/wp-json/wp/v2/wordcamps?status=wcpt-mtp-rejected).
Replying to iandunn:
Similar to #4047, I personally prefer to err on the side of transparency unless there's a tangible privacy or security reason to make the data private.
In my opinion, in this case, there might be a privacy reason. Unlike in meetup endpoint, WordCamp endpoint has custom fields added to the response. Those fields contain applicants name and w.org usernames, for example. Yeah, public application status report page does contain that information also but only for a limited period - public status reports don't.
This ticket was mentioned in Slack in #meta-wordcamp by iandunn. View the logs.
6 years ago
#5
@
6 years ago
Several contributors discussed this in Slack (see above) and agreed it would be a good idea :)
This ticket was mentioned in Slack in #meta-wordcamp by sippis. View the logs.
5 years ago
#7
@
5 years ago
- Keywords has-patch needs-testing added; needs-patch removed
Patch add our own check_read_permission
function to our custom WordCamp_REST_WordCamps_Controller
class. Our custom functionality checks the post status against WordCamp_Loader::get_public_post_statuses()
list added with wcpt-cancelled
status and fallbacks to default WP_REST_Posts_Controller::check_read_permission
when post status is readbale.
This ticket was mentioned in Slack in #meta-wordcamp by coreymckrill. View the logs.
5 years ago
This ticket was mentioned in Slack in #meta-wordcamp by iandunn. View the logs.
4 years ago
#10
@
4 years ago
- Resolution set to reported-upstream
- Status changed from assigned to closed
This ticket has been moved to GitHub https://github.com/WordPress/wordcamp.org/issues/610
Hmm, I'm curious why they're available by ID but not in the main list. Is there something in the code where we're explicitly removing them from the main list, and we just accidentally left them in the individual responses? Or were they accidentally removed from the main response as a side-effect of having custom statuses?
Similar to #4047, I personally prefer to err on the side of transparency unless there's a tangible privacy or security reason to make the data private.