这是 WP GraphQL (wordpress) 的安全问题吗?
Is this a security issue for WP GraphQL (wordpress)?
使用邮递员我查询:
query MyQuery {
users {
nodes {
id
email
}
}
通过经过身份验证的请求(和管理员权限),我得到:
{
"data": {
"users": {
"nodes": [
{
"id": "dXNlcjox",
"email": "..."
},
{
"id": "dXNlcjoz",
"email": ".........."
},
{
"id": "dXNlcjoy",
"email": "................."
}
]
}
},
"extensions": {
"debug": []
}
}
returns 所有用户,没关系
但是 !!!
通过 public 请求我得到:
{
"data": {
"users": {
"nodes": [
{
"id": "dXNlcjox",
"email": null
}
]
}
},
"extensions": {
"debug": []
}
}
为什么节点:"id": "dXNlcjox" 暴露给 public 请求?
这是一个安全问题吗?
其实这样也可以
引用自 WP GraphQL 页面:
WPGraphQL follows WordPress access control rights, and only exposes data publicly that WordPress already exposes publicly. Users that have published posts are considered public entities in WordPress. Users that have not published posts are considered private and will not be included in public GraphQL requests, but will be included in GraphQL requests made by authenticated users with proper capabilities to see the users.
Fields, such as user email addresses, are also protected by WPGraphQL and only exposed to authenticated requests by users with proper capabilities to see the data.
这个节点:"id": "dXNlcjox"恰好是wordpress的管理员,他的存在是一个public信息(即使他的邮箱不是)。
使用邮递员我查询:
query MyQuery {
users {
nodes {
id
email
}
}
通过经过身份验证的请求(和管理员权限),我得到:
{
"data": {
"users": {
"nodes": [
{
"id": "dXNlcjox",
"email": "..."
},
{
"id": "dXNlcjoz",
"email": ".........."
},
{
"id": "dXNlcjoy",
"email": "................."
}
]
}
},
"extensions": {
"debug": []
}
}
returns 所有用户,没关系
但是 !!!
通过 public 请求我得到:
{
"data": {
"users": {
"nodes": [
{
"id": "dXNlcjox",
"email": null
}
]
}
},
"extensions": {
"debug": []
}
}
为什么节点:"id": "dXNlcjox" 暴露给 public 请求?
这是一个安全问题吗?
其实这样也可以
引用自 WP GraphQL 页面:
WPGraphQL follows WordPress access control rights, and only exposes data publicly that WordPress already exposes publicly. Users that have published posts are considered public entities in WordPress. Users that have not published posts are considered private and will not be included in public GraphQL requests, but will be included in GraphQL requests made by authenticated users with proper capabilities to see the users.
Fields, such as user email addresses, are also protected by WPGraphQL and only exposed to authenticated requests by users with proper capabilities to see the data.
这个节点:"id": "dXNlcjox"恰好是wordpress的管理员,他的存在是一个public信息(即使他的邮箱不是)。