Opened 5 weeks ago
Closed 7 days ago
#9231 closed defect (bug) (fixed)
Using BP REST API it's possible to retrieve information about a spammed user
Reported by: | imath | Owned by: | espellcaste |
---|---|---|---|
Milestone: | 15.0.0 | Priority: | normal |
Severity: | normal | Version: | |
Component: | REST API | Keywords: | needs-patch |
Cc: | emaralive |
Description
The Web version is only showing these kind of information to Administrators.
https://developer.buddypress.org/bp-rest-api/reference/members/#retrieve-a-specific-member
Change History (10)
This ticket was mentioned in Slack in #buddypress by espellcaste. View the logs.
5 weeks ago
#3
@
5 weeks ago
@espellcaste
It is comforting that V2 appears to not have the issue, however, V1 is the current API and, it could be that the plugin (BP-REST) that I am utilizing is not current for V1, nevertheless, this appears to have the issue which seems to fall in line with the support forum topic:
--user is a subscriber 18 is the id of the spammed user curl -X GET --user user:password -ik site.url/wp-json/buddypress/v1/members/18 HTTP/1.1 200 OK Date: Thu, 05 Sep 2024 12:44:13 GMT Server: Apache/2.4.58 (Debian) X-Robots-Tag: noindex Link: <site.url/wp-json/>; rel="https://api.w.org/" X-Content-Type-Options: nosniff Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type Allow: GET Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private Transfer-Encoding: chunked Content-Type: application/json; charset=UTF-8 {"id":18,"name":"Apple","user_login":"news","friendship_status":false....}
#5
@
5 weeks ago
The user who is making the request is "bing" (user_id = 3) who happens to have a user role of "subscriber". So bing is requesting member information about the user with the id of 18 who happens to be a spammed user.
I can't confirm this bug. Currently, only admins can return a spammed member via the REST API. Not even the spammed member himself can get his own profile.
Here's the message a spammed user gets:
Other regular users will get this:
And the admin will get the member object properly.
cc: @emaralive