Allow and Deny permissions for user roles to use V2 API in browser.

Question

Hi Lithium Team,Just found it very strange on all over the communities, any type of user role or anonymous can read the users public data in community using V2 API by just hitting this URL (http://community.lithium.com/api/2.0/search?q=SELECT%20login%20from%20users%20where+roles.id%3D%27t%3AAdministrator%27+limit%201000), and there is no way by which community members can disable this from admin or there is any permissions for that. Using this API any user can read usernames of role type(admins) from API URL and can misuse of it.Even this article(https://community.lithium.com/t5/Developer-Documentation/bd-p/dev-doc-portal?section=commv2&amp;v2.main=gettingstarted#apiBrowser) also states that anonymous users also can read users public data.There should be set of permissions which can apply for anonymous users to not read users data through API by adding restrictions to API V2.Attached are some of the screen-shots for this.

luk · Answer

How exactly would you "misuse" public data that could also be gathered in other ways? Of course, if someone has malicious intentions, it might make targeting specific accounts with brute-force attacks easier, but then the solution is not to cripple the API even more, but to implement proper anti brute-force mechanisms... (for examplein temporary block loginfor x minutes after 5 consecutive wrong login attempts, then even longer after another 5 etc.).

My point is: There are other ways (besides the API) to figure out the Admin users in a community, e.g. a locked-down API won't really protect you and give a "false " sense of security....

parshant · Answer

luk, I have just showed example using only login information of the user in the API, but I can see more information.See Screenshot for Only First User "Lithium-Admin"&nbsp;&nbsp;

luk · Answer

Of course we can, this is called "public information"... =), this was the case with API v1 already, it's information that you could gather in other ways as well...

parshant · Answer

Okay, One of our community is private and one of the community don't want to expose user username all over the community. They don't want to expose any of the user information.But this api gives information even its a private/gated community.&nbsp; Use of this personal information must have limits and there should be a way by which community manager can disable this from admin or there is any role based permissions for that.

luk · Answer

I guess just categorically take away the REST API read permission is not an option (or does it even return data in that case)?

Forum Discussion

Allow and Deny permissions for user roles to use V2 API in browser.

Related Content

permissions for the user biography based on user roles

Browser support

API Content and User Permissions

permission api

Permissions for view post with custom_tags

Recent Discussions

Connecting Khoros data to CRM (Salesforce)

API v1 docs gone since Atlas migration to Aurora

Does anyone know how to change the display title of Custom Fields in Aurora?

Can someone walk me through authenticating and using Postman with Aurora?

Seeking Advice on Restricting Access to a posts to those who have the permalink.