[wp-hackers] JSON API 1.0 release

Dan Phiffer dan at phiffer.org
Wed Jun 30 14:01:21 UTC 2010

On Jun 30, 2010, at 4:11 AM, Tim Nash wrote:

> Just about to download and have a play, obvious question is how are
> you handling security?

For "restricted" method calls the API currently requires that you be authenticated already, using wp-login.php. Currently the only method with this requirement is create_post (which also requires the use of a nonce). I think the other method that might have a security implication is get_author_index, which could be used for dictionary attacks. I may include an option to selectively disable that method.

I've been contacted by users who've patched the API to include authentication methods, but I'm still evaluating what risks that might impose. I may release both "straight" authentication (user/pass as request vars) and OAuth, and let users decide which is the better choice for their needs -- the settings page lets you enable and disable the various "controllers" of the API. The whole thing is still pretty incomplete though, except basic introspection (the only one enabled by default).


> On 29 June 2010 21:08, Dan Phiffer <dan at phiffer.org> wrote:
>> On Jun 29, 2010, at 3:26 PM, Otto wrote:
>>> Oh no, not saying it's not easier or better, just that I tend to
>>> prefer existing interfaces rather than rolling my own
>> Yeah, this is the main reason we chose WordPress instead of doing the blog in Ruby on Rails. The plugin was something that evolved in the course of using content outside the WP template system.
>> -Dan
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> -- 
> Tim Nash - www.timnash.co.uk
> http://twitter.com/tnash
> The Stuff Specialist
> -----------Begin Boring Stuff-----------
> www.newmedias.co.uk
> NewMedias.co.ukis a non Limited Partnership based in the UK
> The contents of this email is for the named parties, if you have
> receieved this email in error please accept our apologises. Unless
> separately mentioned the content of the email are considered private
> with content belonging to the authors.
> Tim Nash The Stuff Specialist & NewMedias.co.uk non limited
> Partnership are separate entities. For enquires regarding
> NewMedias.co.uk please contact support at newmedias.co.uk
> NewMedias.co.uk - Fairview, DN22 8PY UK
> -----------End Boring Stuff-----------
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list