Making WordPress.org

Opened 6 years ago

Closed 4 years ago

#4048 closed defect (bug) (reported-upstream)

WordCamp.org: WordCamps with non-public statuses are exposed in REST API

Reported by: sippis's profile sippis Owned by: sippis's profile sippis
Milestone: Priority: normal
Component: WordCamp Site & Plugins Keywords: good-first-bug has-patch needs-testing
Cc:

Description

WordCamp REST API base (https://central.wordcamp.org/wp-json/wp/v2/wordcamps) exposes only WordCamps with public statuses. If you happen to know or guess post ID, you can still query singular camps that do have non-public statuses.

I guess we really shouldn't expose WordCamps in REST API, in favor of following the same practice as WordCamp REST API base.

Attachments (1)

4048.diff (1.5 KB) - added by sippis 5 years ago.

Download all attachments as: .zip

Change History (11)

#1 @iandunn
6 years ago

Hmm, I'm curious why they're available by ID but not in the main list. Is there something in the code where we're explicitly removing them from the main list, and we just accidentally left them in the individual responses? Or were they accidentally removed from the main response as a side-effect of having custom statuses?

Similar to #4047, I personally prefer to err on the side of transparency unless there's a tangible privacy or security reason to make the data private.

#2 @sippis
6 years ago

Looks like WordCamps with private statuses are removed purposely from the main list, see changeset [4804]. In that changeset, Corey did set the main list to contain only public statuses and restricted fully private status listings (eg https://central.wordcamp.org/wp-json/wp/v2/wordcamps?status=wcpt-mtp-rejected).

Replying to iandunn:

Similar to #4047, I personally prefer to err on the side of transparency unless there's a tangible privacy or security reason to make the data private.

In my opinion, in this case, there might be a privacy reason. Unlike in meetup endpoint, WordCamp endpoint has custom fields added to the response. Those fields contain applicants name and w.org usernames, for example. Yeah, public application status report page does contain that information also but only for a limited period - public status reports don't.

This ticket was mentioned in Slack in #meta-wordcamp by iandunn. View the logs.


6 years ago

#4 @iandunn
6 years ago

  • Keywords good-first-bug added

#5 @iandunn
6 years ago

Several contributors discussed this in Slack (see above) and agreed it would be a good idea :)

This ticket was mentioned in Slack in #meta-wordcamp by sippis. View the logs.


5 years ago

@sippis
5 years ago

#7 @sippis
5 years ago

  • Keywords has-patch needs-testing added; needs-patch removed

Patch add our own check_read_permission function to our custom WordCamp_REST_WordCamps_Controller class. Our custom functionality checks the post status against WordCamp_Loader::get_public_post_statuses() list added with wcpt-cancelled status and fallbacks to default WP_REST_Posts_Controller::check_read_permission when post status is readbale.

This ticket was mentioned in Slack in #meta-wordcamp by coreymckrill. View the logs.


5 years ago

This ticket was mentioned in Slack in #meta-wordcamp by iandunn. View the logs.


4 years ago

#10 @dd32
4 years ago

  • Resolution set to reported-upstream
  • Status changed from assigned to closed

This ticket has been moved to GitHub https://github.com/WordPress/wordcamp.org/issues/610

Note: See TracTickets for help on using tickets.