[wp-xmlrpc] Remove authorization for xmlrpc read-only functions?

Daniel Jalkut jalkut at red-sweater.com
Wed Aug 4 01:42:25 UTC 2010 

Hi Diederik - what comes to mind for me is that it's a coincidence that most of the information in a typical blog configuration is publicly visible.  There are several scenarios in which the content of a blog may be protected:

- The posts are password protected.
- The posts are drafts.
- The entire blog is only visible to registered users.
- The posts contain metadata that is not exposed publicly by a given theme.

I can see your reasoning for having the information be accessible when it just so happens that there isn't any private information among the results, but trying to determine with accuracy whether it was safe to expose a particular set of posts or not would be difficult. The XMLRPC API is just too blunt and its content may include a mish-mash of public and private content.

If you want to get at the content of public posts in a programmatically parseable way, the existing RSS and Atom syndication interfaces are probably a good choice.

Daniel

On Aug 3, 2010, at 9:31pm, Diederik van Liere wrote:

> Dear fellow wordpress users / devs,
> 
> 
> I have been playing a bit with the xmlrpc functionality of wordpress
> and I like it a lot! There is just one thing that I don't fully
> understand and that is the following:
> 
> Why are the xmlrpc read-only functions (such as mt.getPostCategories,
> mt.getRecentPostTitles, mt.getRecentPosts, metaWeblog.getPost,
> wp.getComment, wp.getTags, wp.getAuthors, etc. etc.) protected by
> password / username?
> 
> These functions expose the same data as is available on the blog
> itself and the functions are read only. So why not liberate this data
> and remove the authorization? For example, tumblr does the same, if
> you just add '/api/xml/' to a url of a post then you will receive the
> xml output of that particular post.
> 
> Two benefits come to mind (and I am sure other people can come up with
> more benefits):
> 1) It makes it easier for third-party developers to build tools to
> analyze Wordpress blogs / blogposts
> 2) It's a (very) small step to make Wordpress ready for the semantic web
> 
> Curious to hear your opinion about this and whether this should become
> a trac ticket.
> 
> Best,
> 
> 
> Diederik
> _______________________________________________
> wp-xmlrpc mailing list
> wp-xmlrpc at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-xmlrpc

More information about the wp-xmlrpc mailing list