Opened 9 years ago
Closed 9 years ago
#2828 closed defect (bug) (fixed)
How to query for users (ID, slug, email, etc...)
Reported by: | johnjamesjacoby | Owned by: | johnjamesjacoby |
---|---|---|---|
Milestone: | 2.5.8 | Priority: | normal |
Severity: | normal | Version: | 2.0 |
Component: | Component - Users | Keywords: | has-patch |
Cc: |
Description (last modified by )
Right now, via bbp_parse_query()
it's possible to query for users in 3 different ways:
- Numeric ID -
?bbp_user=1
- Nicename Slug -
?bbp_user=admin
- Email Address -
?bbp_user=jjj@bbpress.org
My thoughts:
- ID makes sense, and mirrors WordPress's
?author=1
functionality - Nicename makes sense, because it is the vanity version of a user's login
- Email address, makes less sense to me, and has the potential to be abused
(Note: Nicename and Email methods require pretty permalinks to be configured for the site bbPress is active on.)
Hat tip glynwintle for the original report.
Attachments (3)
Change History (10)
#3
@
9 years ago
This is a fairly serious privacy issue as email addresses are assumed to be private and being able to search for users via an email address isn't expected. I'd feel much more comfortable treating this as a security issue and fixing the email query issue then discussing the rest. (I patched my live site immediately after reading this.)
#4
@
9 years ago
- Keywords has-patch added; 2nd-opinion removed
- Milestone changed from Under Consideration to 2.5.8
Agreed, email address here has potential abuse written all over it from a privacy stand point.
As @tharsheblows points out recently on BuddyPress Trac a decision was made to avoid posting "privacy" related issues on Trac and treat them as a security issue, we should do the same.
Original IRC discussion re #1475 here
2828.3.diff refreshes 2828.2.diff with PHPDoc changes.
See also r2917 and #1475. I have a faint memory of talking about this on IRC, and my guess is we concluded that having more explicit queries map to
WP_User::get_data_by()
was the way to go.