Forum Discussion

Ace

7 years ago

GDPR personal_data resource only available on Lithium Studio API Browser

I'm trying to develop a custom endpoint at Lithium Studio, for exposing GDPR functionality described at GDPR Community API support. The query at API browser looks like this: SELECT personal_data FR...

luk

Boss

7 years ago

iarriola Just a remark: What the above code does, is extremely dangerous...do you realize that because you use restadmin() and a USER-DEFINABLE $_GET parameter "userId", that ANYBODY could get the personal_data of any other user, not just himself...

In other words: restadmin() elevates anybody to Admin level in terms of API permissions, and you allow the user to specify the ID of the user to query personal_data about...

I would say, be happy it returns an empty object for now =)!

iarriola
Ace
7 years ago
Hi luk, thanks a lot for the heads up. And yes, I understand how restadmin() works. What's missing on the custom endpoint is a security validation, to see if the logged in user is an API admin user, the endpoint not published yet, and is not intended to be open to the public and community, but for been consumed by a backend service, what's posted here, is just a quick script to check how the data looks like and how can be consumed internally.
Thanks again :)!

Forum Discussion

GDPR personal_data resource only available on Lithium Studio API Browser

Related Content

Community REST-API: Get all tags available

CMAD Resources You Can Use

Components Available for TKB Card Article

Is a Studio cheat sheet available?

List of available parameters for common.widget.search-form component?

Recent Discussions

Connecting Khoros data to CRM (Salesforce)

API v1 docs gone since Atlas migration to Aurora

Does anyone know how to change the display title of Custom Fields in Aurora?

Can someone walk me through authenticating and using Postman with Aurora?

Seeking Advice on Restricting Access to a posts to those who have the permalink.