Comments (3)
The users endpoint is a problem and we do need to disable that for public consumption when we aren't using it. The problem is we build so many sites now that rely on the REST API that we will continue to cause outages on our client sites if we block any REST API end points by default and I just don't think engineers are going to read the documentation on this plugin before installing it. I would vote for an installation wizard, or, more simply, changing the behavior not to block anything but to show a warning in the wp-admin dashboard instead and require a box be checked in the settings to acknowledge that this endpoint is public on purpose. Now that we have the support monitor rolling out, we can potentially rely on that to provide visibility into which endpoints are public in a way we can take action on it.
from 10up-experience.
Uber projects have being blown up by this "bomb" today... We definitely need to escalate this issue and revisit how the plugin works during the initial activation and initial protection.
An alternative solution might be a setup wizard which is activated when we install and activate the plugin for the first time. Something like woocommerce does when you activate it for the first time.
from 10up-experience.
It feels like the default should probably be Restrict access to the users endpoint to authenticated users
along with a much better explanation in the README. What does everyone think about that?
from 10up-experience.
Related Issues (20)
- Test against WordPress 5.9 HOT 2
- 10up SSO Button Doesn't Appear When 10up Exp Plugin Activated Per-Site HOT 1
- 10up-experience's SSO infinite redirect loop HOT 1
- 10up SSO button disappears after upgrading to PHP 8.1 HOT 3
- Bump version for plugin update checker dependency HOT 1
- Notification for Object Caching
- Incorrect Role Fallback HOT 1
- Option Failsafes interfering with updating Site Address (URL) HOT 2
- 1.6.x releases missing on Packagist HOT 1
- Limit Login Default Plugin Settings HOT 2
- PSR-4
- Call to "ecc_html__" function
- notice for WP_DEBUG mode
- Check haveibeenpwned API during password reset and account creation
- Filtering WP List Table Views by Author Redirects to Home Page When Author Email Domain is a 10up One. HOT 1
- Password reset triggers fatal error HOT 6
- Hides the WP menu link for the Stream plugin HOT 1
- Highlight prefered method to install the plugin is with Composer HOT 2
- Support for Composer installer paths
- Do EOL checks for PHP, database, and object cache versions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from 10up-experience.