Project

General

Profile

Actions
Copy link

Bug #19775

closed

Check member status when using REST API for private sites

Added by Raymond Hoh 2 months ago. Updated about 2 months ago.

Status:
Resolved
Priority name:
Normal
Assignee:
Raymond Hoh
Category name:
WordPress (Permissions)
Target version:
2.3.3
Start date:
2024-02-19
Due date:
% Done:

0%

Estimated time:
Deployment actions:

Description

We allow sites to alter their site privacy with the "More Privacy Options" plugin.

The MPO plugin currently does member status checks for users on the frontend to determine if a user is able to access a private site, however member status checks are not done when accessing the WP REST API. So it would be possible for someone to access private content if the user was savvy enough with the WP REST API to query for post content, etc.

This was brought up in a CBOX OpenLab support thread: https://cboxopenlab.org/groups/the-hub/forum/topic/question-about-the-more-privacy-options-plugin/#post-696

Fix forthcoming.

Actions
Copy link
 #1

Updated by Raymond Hoh 2 months ago

  • Status changed from New to Staged for Production Release

I've added a commit to check REST API requests against the current user and site privacy in https://github.com/cuny-academic-commons/cac/commit/f60aad213546afe6ffe52f4eb0fc19c58dc4ebc2 .

It's an altered version of what is recommended in the WP REST API handbook: https://developer.wordpress.org/rest-api/frequently-asked-questions/#require-authentication-for-all-requests .

Boone, one thing I didn't do is block REST API requests for when blog_public = 0. Should we block off access to the REST API in this case?

Actions
Copy link
 #2

Updated by Boone Gorges 2 months ago

Thanks, Ray! This fix looks good to me.

Boone, one thing I didn't do is block REST API requests for when blog_public = 0. Should we block off access to the REST API in this case?

I would say no. Just as we allow access to the site in a browser if you know the URL, we should allow access in this case to the resource if you know the URL.

We should think about a good approach for addressing this in Commons In A Box. We could put something like you've suggested into the CBOX package, or pursue a fork (one that we write, or one that we collaborate with the doi-lab folks on, or perhaps we just use their fork directly)

Actions
Copy link
 #3

Updated by Boone Gorges about 2 months ago

  • Status changed from Staged for Production Release to Resolved
Actions
Copy link

Also available in: Atom PDF