Place Your Ad Here

Bug Non-Public data returned in API calls

There is a bug in this version
K

Kirby

Guest
A custom user field can be defined as
  • Not being editable by the user
  • Not being shown on pofile pages
  • Not being shown in message user info
  • Not required

The general perception here is that such a field is "private", eg. can only be seen / modified by Moderators or Administrators.

Yet such fields are returned in API calls like me if the API key has scope user:read.

This could be a security issue, at least it is unexpected.

Suggested Fix
Do not return...

Read more

Continue reading...
 
You must log in or register to reply here.

Similar threads

X
Bug False positive "Replier can only add posts at the end of a thread" from non-monotomic time()
Replies
0
Views
117
XenForo General Discussions
Xon
X
N
XenForo Template error: [E_WARNING] A non-numeric value encountered
Replies
0
Views
98
XenForo Development & Modifications
Nirjonadda
N
N
Ques/Help thread slugs (URLs) do not generate correctly for non-English languages
Replies
0
Views
138
XenForo General Discussions
namwooo
N
L
XenForo Lost Access to Most Tools as a Non-Super Admin
Replies
0
Views
121
XenForo Development & Modifications
Lunar Ronin
L
O
Solved Non valid property : @_structItem-cellPaddingH
Replies
0
Views
106
XenForo General Discussions
Old Nick
O
Top Bottom
Back