From a80a09e483e0b03139c5a2c2d834455dcde9078b Mon Sep 17 00:00:00 2001
From: Katharina Irrgang <katharina.irrgang@googlemail.com>
Date: Tue, 26 Sep 2017 17:42:58 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=A5=20=20Removed=20public=20API=20endp?=
 =?UTF-8?q?oint=20to=20fetch=20users=20by=20email=20address=20(#9059)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

no issue

- our public API is still a beta/labs feature
- from api.ghost.org
  > The API is still under very (very) heavy development and subject to regular breaking changes.
- users should expect breaking changes in any release (independent from semver versions)
- the public user API never returns any email addresses to decrease the information we expose
- there is no need to keep the support fetching a user by email address
---
 core/server/api/routes.js                        |  3 ++-
 .../functional/routes/api/public_api_spec.js     | 16 ++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/core/server/api/routes.js b/core/server/api/routes.js
index 2f7506fdb9..9cea8b783d 100644
--- a/core/server/api/routes.js
+++ b/core/server/api/routes.js
@@ -57,7 +57,8 @@ module.exports = function apiRoutes() {
     apiRouter.get('/users', mw.authenticatePublic, api.http(api.users.browse));
     apiRouter.get('/users/:id', mw.authenticatePublic, api.http(api.users.read));
     apiRouter.get('/users/slug/:slug', mw.authenticatePublic, api.http(api.users.read));
-    apiRouter.get('/users/email/:email', mw.authenticatePublic, api.http(api.users.read));
+    // NOTE: We don't expose any email addresses via the public api.
+    apiRouter.get('/users/email/:email', mw.authenticatePrivate, api.http(api.users.read));
 
     apiRouter.put('/users/password', mw.authenticatePrivate, api.http(api.users.changePassword));
     apiRouter.put('/users/owner', mw.authenticatePrivate, api.http(api.users.transferOwnership));
diff --git a/core/test/functional/routes/api/public_api_spec.js b/core/test/functional/routes/api/public_api_spec.js
index 373af41f03..1528190018 100644
--- a/core/test/functional/routes/api/public_api_spec.js
+++ b/core/test/functional/routes/api/public_api_spec.js
@@ -373,6 +373,22 @@ describe('Public API', function () {
             });
     });
 
+    it('[unsupported] browse user by email', function (done) {
+        request
+            .get(testUtils.API.getApiQuery('users/email/ghost-author@ghost.org/?client_id=ghost-admin&client_secret=not_available'))
+            .set('Origin', testUtils.API.getURL())
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(403)
+            .end(function (err) {
+                if (err) {
+                    return done(err);
+                }
+
+                done();
+            });
+    });
+
     it('browse user by id: ignores fetching roles', function (done) {
         request.get(testUtils.API.getApiQuery('users/1/?client_id=ghost-admin&client_secret=not_available&include=roles'))
             .set('Origin', testUtils.API.getURL())