Forum Discussion

CarolineS's avatar
CarolineS
Boss
11 months ago

Possible to disallow API calls by anonymous users?

Hi team,

Wondering if there's a configuration available to disallow API calls by anonymous users.

e.g. https://community.[hostname].com/[server]/api/2.0/search?q=SELECT+*+FROM+users dumps a bunch of data even from an anonymous call. This info is also visible on user profiles (it doesn't expose anything that's not on user profiles already) but it's making some folks on our team a little nervous to have this data available in a big chunk like this.

Thanks!

  • AbhishekIlindra's avatar
    AbhishekIlindra
    11 months ago

    Hi CarolineS : We have encountered similar issues for our community previously and we reached out Khoros support to disable this feature for  the anonymous  users 

     

    If my post is helpful and answers your question, please give "Kudos" and "Accept it as a Solution."

    Thanks & Regards,
    Abhishek Illindra

  • AbhishekIlindra's avatar
    AbhishekIlindra
    Boss
    11 months ago

    Hi CarolineS : We have encountered similar issues for our community previously and we reached out Khoros support to disable this feature for  the anonymous  users 

     

    If my post is helpful and answers your question, please give "Kudos" and "Accept it as a Solution."

    Thanks & Regards,
    Abhishek Illindra

  • Claudius's avatar
    Claudius
    Boss
    11 months ago

    Oh... that's interesting/concerning since I would have expected this call to adhere to the REST API read access user permission settings for anonymous users:

    I mean... I don't have issues with someone reading the content that is public on a community with a more machine readable format. There are restrictions in place (e.g. maximum result set size) that prevent making scraping the whole community too simple, but even then: If someone likes our content, suit ourselves.

    For the curious: What exactly do we need to ask Khoros support for to get this disabled?