Allow and Deny permissions for user roles to use V2 API in browser.

Question

Hi Lithium Team,Just found it very strange on all over the communities, any type of user role or anonymous can read the users public data in community using V2 API by just hitting this URL (http://community.lithium.com/api/2.0/search?q=SELECT%20login%20from%20users%20where+roles.id%3D%27t%3AAdministrator%27+limit%201000), and there is no way by which community members can disable this from admin or there is any permissions for that. Using this API any user can read usernames of role type(admins) from API URL and can misuse of it.Even this article(https://community.lithium.com/t5/Developer-Documentation/bd-p/dev-doc-portal?section=commv2&amp;v2.main=gettingstarted#apiBrowser) also states that anonymous users also can read users public data.There should be set of permissions which can apply for anonymous users to not read users data through API by adding restrictions to API V2.Attached are some of the screen-shots for this.

luk · Answer

How exactly would you "misuse" public data that could also be gathered in other ways? Of course, if someone has malicious intentions, it might make targeting specific accounts with brute-force attacks easier, but then the solution is not to cripple the API even more, but to implement proper anti brute-force mechanisms... (for examplein temporary block loginfor x minutes after 5 consecutive wrong login attempts, then even longer after another 5 etc.).

My point is: There are other ways (besides the API) to figure out the Admin users in a community, e.g. a locked-down API won't really protect you and give a "false " sense of security....

parshant · Answer

luk, I have just showed example using only login information of the user in the API, but I can see more information.See Screenshot for Only First User "Lithium-Admin"&nbsp;&nbsp;

luk · Answer

Of course we can, this is called "public information"... =), this was the case with API v1 already, it's information that you could gather in other ways as well...

parshant · Answer

Okay, One of our community is private and one of the community don't want to expose user username all over the community. They don't want to expose any of the user information.

But this api gives information even its a private/gated community. Use of this personal information must have limits and there should be a way by which community manager can disable this from admin or there is any role based permissions for that.

luk · Answer

I guess just categorically take away the REST API read permission is not an option (or does it even return data in that case)?

Forum Discussion

Allow and Deny permissions for user roles to use V2 API in browser.

5 Replies

Related Content

Re: Permission descriptions

About Content permissions

Browsers supported on Aurora

Re: Set forum permissions

Aurora: Set events permissions

Recent Discussions

Join node/group 301 API error

liqlAdmin in khoros aurora graphql API

How do I get the article ID in Freemarker in a TkbArticle?

How to retrieve "Internal reason for ban" field

Tips on keeping stage and prod in alignment?