Project

General

Profile

Actions

Bug #19775

closed

Check member status when using REST API for private sites

Added by Raymond Hoh 9 months ago. Updated 9 months ago.

Status:
Resolved
Priority name:
Normal
Assignee:
Category name:
WordPress (Permissions)
Target version:
Start date:
2024-02-19
Due date:
% Done:

0%

Estimated time:
Deployment actions:

Description

We allow sites to alter their site privacy with the "More Privacy Options" plugin.

The MPO plugin currently does member status checks for users on the frontend to determine if a user is able to access a private site, however member status checks are not done when accessing the WP REST API. So it would be possible for someone to access private content if the user was savvy enough with the WP REST API to query for post content, etc.

This was brought up in a CBOX OpenLab support thread: https://cboxopenlab.org/groups/the-hub/forum/topic/question-about-the-more-privacy-options-plugin/#post-696

Fix forthcoming.

Actions

Also available in: Atom PDF