Non-Public data returned in API calls

K

Kirby

Well-known member
Affected version
2.2.13
A custom user field can be defined as
  • Not being editable by the user
  • Not being shown on pofile pages
  • Not being shown in message user info
  • Not being required
The general perception here is that such a field is "private", eg. can only be seen / modified by Moderators or Administrators.

Yet such fields are returned in API calls like me if the API key has scope user:read.

This could be a security issue, at least it is unexpected.

Suggested Fix
Do not return information in API calls (including but not limited to me) that is otherwise not normally accessible by the user (Preferred)
or
Explicitly document such behaviour
 
Last edited:

Similar threads

mattrogowski
Confusing app_api_validate_request event behaviour
Replies
0
Views
348
mattrogowski
mattrogowski
K
Users can only view latest received reactions in some cases
Replies
2
Views
777
Ozzy47
Ozzy47
Fullmental
XF 2.2 Using REST API to post a media item, no documentation. Help please?
Replies
4
Views
1K
Schaken
Schaken
Cylon
XF 2.2 Confused about the user profile and permissions returned by the rest api
Replies
8
Views
1K
Cylon
Cylon
Vercingetorix
Activity Summary emails are the digital equivalent of junk mail.
Replies
3
Views
1K
Vercingetorix
Vercingetorix
Top Bottom