Add back /wp/v2/coauthors endpoint removed in #851 #899
Conversation
|
@sbcatania This endpoint was removed because of the information disclosure vulnerability, as emails of guest authors were being leaked by it. |
|
Hi @rebeccahum , thank you so much for the clarification and additional context here! That sounds like an important vulnerability and very serious issue. Is it possible for the endpoint to still exist but just not include the email addresses in the API response? I think that would be beneficial to users of the plugin to mitigate breaking changes caused by this endpoint's removal. |
|
Hey @rebeccahum and @lschuyler, I hope you're both doing well! I was wondering if there were updates on this in response to my previous comment. I would love to find a way to address the security concerns while also preventing breaking changes and I think that not including the email address in the API response could help with this. |
|
@sbcatania Yep, did you want to update the PR with those changes? |
…into coauthors-rest-endpoint
…into coauthors-rest-endpoint
|
Hey @rebeccahum, I have been working with @sbcatania on bringing back the /wp/v2/coauthors endpoint. We have now made all the changes that we believe are sufficient to enable the endpoint while eliminating the email-related disclosure vulnerabilities. What are the next steps? |
|
Hey @rebeccahum and @lschuyler, I hope you're both doing well! I think we've successfully updated our code to fix the issues you raised, would love to know if there's anything we could do to help this move along :) |
|
Hi @rebeccahum and @lschuyler, thank you so much for your hard work maintaining this repo. Please let me know if there's anything else we can do here or if we should contact someone else to review these changes. Otherwise, we would love to have these changes merged! |
|
Closing in favour of #931. |
Description
In #851, the /wp/v2/coauthors endpoint was removed from the plugin. However, this was a breaking change because this endpoint was used by some to make some WordPress plugins function and more importantly to be consumed by external applications like mobile apps to get full author information for posts. The endpoint's removal prevents some users of the plugin from updating it to the latest version because the change breaks their existing application, thus preventing them from accessing the latest in security and other improvements!
For context, this endpoint was originally added in #790. It seems like people's usage of it has exceeded the original intended use, but it was still a breaking change because of that to remove it. Thank you for your consideration!
Deploy Notes
No new dependencies.
Steps to Test
Since this re-enables a feature that was previously and recently integrated in the plugin, it should work correctly. It can be tested via accessing the endpoint at /wp/v2/coauthors