[buddypress-trac] [BuddyPress Trac] #9137: REST API related issues for signups and pending accounts
buddypress-trac
noreply at wordpress.org
Tue Oct 29 00:20:07 UTC 2024
#9137: REST API related issues for signups and pending accounts
-------------------------------------------------+-------------------------
Reporter: niftythree | Owner:
| espellcaste
Type: enhancement | Status: new
Priority: highest | Milestone: 15.0.0
Component: REST API | Version:
Severity: normal | Resolution:
Keywords: needs-testing has-patch has-unit- |
tests |
-------------------------------------------------+-------------------------
Comment (by espellcaste):
@niftythree
There is a new pr with the following fixes:
https://github.com/buddypress/buddypress/pull/396
Could you take a look at it?
> could we advise the user here that their account is pending?
I personally think that's sharing too much information to possibly, or
technically, any user.
See this bug report from you, for example:
> Anyone who knows the username of a pending account that's been
registered through the REST API, or if a user thinks that username belongs
to them, can constantly request the resending of activation emails by
entering the username and anything into the password field.
In the hope of being helpful to the user, we'd be automatically exposing
the user ''status'' where bots could use it to DDOS communities, like in
the example shared.
I'd rather each community set this up if they think it makes sense, rather
than offering as a core feature.
cc: @imath
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/9137#comment:18>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list