Open erral opened 6 years ago
tisto
commented
6 years ago @erral the rationale for this is that we provide the same behavior that standard Plone provides. We have a contact form on vanilla Plone that allows spamming of the site owner by default. Though, I am open to suggestions to improve this.
erral
commented
6 years ago I was thinking out loud because we are having spam attacks in a site where we are using restapi. The spam attacks are not coming through the api but from public forms.
After seeing that and the contact endpoint, I thought that it could be an "easy" entry point for spam. Perhaps trickier to find (they have to know this is a Plone site, that we are using restapi, ...) but then very easy to exploit.
@email-notification endpoints does not require authentication on the client side so it could be used as an easy tool to spam the site owner in a public site.
A good option can be to implement a way to enable or disable this endpoint.