Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-8331

The REST API doesn't mask private information such as passwords or email addresses

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Critical
    • None
    • 3.5.1, 4.2, 7.4
    • REST
    • Medium
    • N/A
    • N/A
    • Pull Request accepted

    Description

      A user that has view rights on a user page (i.e. everybody including guest) can access to the objects associated to the page (i.e., XWiki.XWikiUsers) and see the values of their field as they are (i.e., the email address or the password hash)

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-16138 Email addresses are shown in clear in REST results

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              vmassol Vincent Massol
              fmancinelli Fabio Mancinelli
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: