TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-01 05:50:35 +03:00
Code Issues Projects Releases Wiki Activity

🔥 Removed public API endpoint to fetch users by email address (#9059)

Browse Source 
no issue

- our public API is still a beta/labs feature
- from api.ghost.org
  > The API is still under very (very) heavy development and subject to regular breaking changes.
- users should expect breaking changes in any release (independent from semver versions)
- the public user API never returns any email addresses to decrease the information we expose
- there is no need to keep the support fetching a user by email address
This commit is contained in:
Katharina Irrgang 2017-09-26 17:42:58 +02:00 committed by Hannah Wolfe
parent 2db548a5bc
commit a80a09e483
2 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
core/server/api/routes.js
View File

@ -57,7 +57,8 @@ module.exports = function apiRoutes() {
apiRouter.get('/users', mw.authenticatePublic, api.http(api.users.browse)); apiRouter.get('/users', mw.authenticatePublic, api.http(api.users.browse));
apiRouter.get('/users/:id', mw.authenticatePublic, api.http(api.users.read)); apiRouter.get('/users/:id', mw.authenticatePublic, api.http(api.users.read));
apiRouter.get('/users/slug/:slug', mw.authenticatePublic, api.http(api.users.read)); apiRouter.get('/users/slug/:slug', mw.authenticatePublic, api.http(api.users.read));
apiRouter.get('/users/email/:email', mw.authenticatePublic, api.http(api.users.read)); // NOTE: We don't expose any email addresses via the public api.
apiRouter.get('/users/email/:email', mw.authenticatePrivate, api.http(api.users.read));
apiRouter.put('/users/password', mw.authenticatePrivate, api.http(api.users.changePassword)); apiRouter.put('/users/password', mw.authenticatePrivate, api.http(api.users.changePassword));
apiRouter.put('/users/owner', mw.authenticatePrivate, api.http(api.users.transferOwnership)); apiRouter.put('/users/owner', mw.authenticatePrivate, api.http(api.users.transferOwnership));

16
core/test/functional/routes/api/public_api_spec.js
View File

@ -373,6 +373,22 @@ describe('Public API', function () {
}); });
}); });
it('[unsupported] browse user by email', function (done) {
request
.get(testUtils.API.getApiQuery('users/email/ghost-author@ghost.org/?client_id=ghost-admin&client_secret=not_available'))
.set('Origin', testUtils.API.getURL())
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(403)
.end(function (err) {
if (err) {
return done(err);
}
done();
});
});
it('browse user by id: ignores fetching roles', function (done) { it('browse user by id: ignores fetching roles', function (done) {
request.get(testUtils.API.getApiQuery('users/1/?client_id=ghost-admin&client_secret=not_available&include=roles')) request.get(testUtils.API.getApiQuery('users/1/?client_id=ghost-admin&client_secret=not_available&include=roles'))
.set('Origin', testUtils.API.getURL()) .set('Origin', testUtils.API.getURL())