API response as elevated user

xasharma

I don't know what it is... but by this, we can get details of the users - https://discuss.flarum.org/api/users/1
I tried this on my site first with different devices and on my site, it also gives us the email of the user, + all the extension details (like minimum criteria to get badges which is Auto moderator extension), and then I think I should report it .... I have 0 zero knowledge about this.
I don't know what is this, a bug or some security problem or normal thing.

[deleted]

xasharma having checked this under guest access, a limited level of detail is exposed via the API. This doesn't include email addresses, or anything else sensitive / anything that could make attribution possible.

xasharma

Yes, you are correct ... I have tried it. It doesn't expose any sensitive info. I tried it with admin account so that's why it is showing the email and stuff.

Thanks for the reply.

clarkwinkelmann

If you are logged in as admin the API will return a lot of sensitive information, particularly on the GET /api endpoint.

If you are logged as a regular user, requesting your own profile will return your email and other private information, but just for your own user.

As guest nothing sensitive should be visible.