The Donor Wall API endpoint should only be accessible from authenticated requests. | Voters

The Donor Wall API endpoint should only be accessible from authenticated requests.

complete

Ben Meredith

Currently, the donor wall is available via a public API endpoint. It should not be.
Ideally, only authenticated requests from the front end of WordPress should ahve access to that endpoint. 
Though this is not a security issue since none of the data on the endpoint would be qualified as sensitive information, but can be Personally Identifiable Information (PII).
Donors who select to be anonymous are not displayed on the Donor wall. 
All of that to say, it still would make sense to resritct access to that endpoint, because some organizations may not use the Donor Wall at all, and currently that endpoint is publicly available regardless.

December 16, 2021

Ben Meredith

marked this post as

complete

This has been resolved in version 2.20 of GiveWP. Update to that, and you are all set!

Ravinder Kumar

marked this post as

ready for release

Kyle Johnson

marked this post as

in progress

Kyle Johnson

marked this post as

under review

Kyle Johnson

marked this post as

planned

Ben Meredith

marked this post as

under review

Our team is looking at this, relatively urgently.