How exactly would you "misuse" public data that could also be gathered in other ways? Of course, if someone has malicious intentions, it might make targeting specific accounts with brute-force attacks easier, but then the solution is not to cripple the API even more, but to implement proper anti brute-force mechanisms... (for examplein temporary block loginfor x minutes after 5 consecutive wrong login attempts, then even longer after another 5 etc.).
My point is: There are other ways (besides the API) to figure out the Admin users in a community, e.g. a locked-down API won't really protect you and give a "false " sense of security....
luk, I have just showed example using only login information of the user in the API, but I can see more information.
See Screenshot for Only First User "Lithium-Admin"
Of course we can, this is called "public information"... =), this was the case with API v1 already, it's information that you could gather in other ways as well...
Okay, One of our community is private and one of the community don't want to expose user username all over the community. They don't want to expose any of the user information.
But this api gives information even its a private/gated community. Use of this personal information must have limits and there should be a way by which community manager can disable this from admin or there is any role based permissions for that.
I guess just categorically take away the REST API read permission is not an option (or does it even return data in that case)?
