Unpublished content accessible via front-end API #1295

technicallyerik · 2020-04-14T13:43:35Z

Unpublished content is accessible to unauthenticated users via the front-end API.

curl -X GET "http://localhost/api/contents?status=draft" -H "accept: application/ld+json"

A user might have a draft news release, product launch, embargoed product review, etc they might not want a crafty user accessing before it's public.

Details

In your console, enter curl -X GET "http://localhost/api/contents?status=draft" -H "accept: application/ld+json"

(I assume the same is with the GraphQL endpoints)

Only content with a published status is accessible with or without a status parameter when accessing the API as an unauthenticated user.

Unpublished content can be accessed by unauthenticated users via the API.

The text was updated successfully, but these errors were encountered:

I-Valchev · 2020-04-16T14:48:40Z

@technicallyerik thanks for the detailed issue.

A fix for this is in the pipeline. I think we'll sneak in your other PR #1296 before launch too.

I-Valchev mentioned this issue Apr 16, 2020

API shows published and viewless: false content only #1305

Merged

bobdenotter closed this as completed in #1305 Apr 16, 2020

technicallyerik mentioned this issue Apr 18, 2020

Api filter updates #1309

Merged