You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently it is possible to access the Remote API anonymously when setting the remoteuser option to an empty string.
This was not intentional. Originally an empty string was meant to allow any authenticated user.
I don't think the current behavior introduces any security issues since ACLs are still properly checked. However some error messages might be a bit misleading...
The question is, do we really want to allow anonymous API access? Or should we always require a user (except for methods marked as public)?
The text was updated successfully, but these errors were encountered:
Currently it is possible to access the Remote API anonymously when setting the
remoteuseroption to an empty string.This was not intentional. Originally an empty string was meant to allow any authenticated user.
I don't think the current behavior introduces any security issues since ACLs are still properly checked. However some error messages might be a bit misleading...
The question is, do we really want to allow anonymous API access? Or should we always require a user (except for methods marked as public)?
The text was updated successfully, but these errors were encountered: