Include author ID in topics, replies and topic/reply lists

[tkserver]

I have an EASY one for you.

I've now got to put in a "block user" function in my bbpress app to comply with Apple's regulations on user generated content. Sigh. Quite a learning experience dealing with Apple. That said, I think it is a very good feature to have.

If I could get the user ID anytime a topic list or topic/reply is shown, then I could store the blocked user ID locally in the app and not show the content if the blocked id matches.

[renatonascalves]

Seems cool! I'm glad someone is dealing with Apple! I'm learning from your mistakes/problems/difficulties. :)

[tkserver]

I think Pascal is on summer holiday. I've gone ahead and programmed my user block to use the user name instead of the user ID for now. It is working, but I think users can change their user names.

[renatonascalves]

@tkserver Indeed! Where is your code? Can I take a look see what you've done and try to check from User ID?

[renatonascalves]

Folks! Added above the change requested! Any feedback is welcome! :)

[tkserver]

My block user function is done, and based on the user email at this point. So my need for this change is no longer there. BUT, I still think having the ID can be good, but could also be a security risk.

[renatonascalves]

Could you elaborate on the security risk? I don't see why is that. :/

[tkserver]

WP doesn't even have a users api. A bot could easily gather all user id's via the API. Just post numbers to the api and watch the responses.

[renatonascalves]

I think that's an invalid issue! If you fetch posts here: wp-json/wp/v2/posts Presumably you could do the same but you can't because of the authentication.

[tkserver]

You can fetch posts (or any bbp-api items) without authentication. Or maybe I'm not understanding you.

[renatonascalves]

Yes! You are right! What you can't do is to post topics or replies with the ids of the users. Your answer above seemed to imply that or I totally misunderstood it.

All in all! I don't see the security impact yet! :(

[tkserver]

I agree, but some think being able to gather all the site's user ID's is a security risk. I had to make my own users api so I can get the user info like avatar and such...

[renatonascalves]

Got it! By the way, probably there is a security risk. I'm just not aware of one. :)

[tkserver]

I'm back here again. I'm now working on the ability to edit a topic/reply via the api. I've made my own API for this. BUT, the bbp api does not return the user_id. I need to know if the user "can edit" if his ID matches the author id, or if the user is an admin. SO I'm back to needing the user_id returned in the API. It seems Pascal's time is no longer available, so I may end up having to move in my own direction.

[tkserver]

This works for me:
$all_topic_data['author_id'] = (int)get_post_field ('post_author', $topic_id); I like the idea of an author object but for now this will do.

[renatonascalves]

@tkserver There is a fix for your problem on #39

[tkserver]

Not merged yet I guess. I could give that a try. I basically did the same thing with topics and replies.

[renatonascalves]

Not yet. But you might get the relevant changes and apply to your version.

On Oct 31, 2017 16:27, "tkserver" notifications@github.com wrote:

Not merged yet I guess. I could give that a try.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ePascalC/bbp-API/issues/33#issuecomment-340880260, or mute the thread https://github.com/notifications/unsubscribe-auth/ASQwon8NEBB7ZHVHeP90S4z2wQ8JVYxKks5sx3SIgaJpZM4Ov1fi .