How to authorize gatsby source wordpress to pull sensitive informations from Wp graphql ?

Question

How to authorize gatsby source wordpress to pull sensitive informations from Wp graphql ?

KabyleBOT opened this issue 4 years ago · 6 comments

Hello, i am looking for a solution to authorize gatsby-source-wordpress-experimental to pull sensitive data, like users without published posts from WpGraphql, to the front end. Thank you for your help

Answer 1 · 2021-02-05T16:31:54.000Z

Me too, I want to fetch all users, also without published posts, to create a web page with all collaborators, not only authors.

Answer 2 · 2021-02-05T20:38:21.000Z

Hi there, thanks for the feature request. We're not currently planning on adding this for the reasons mentioned here https://github.com/gatsbyjs/gatsby-source-wordpress-experimental/blob/master/docs/features/security.md

This plugin automatically pulls all public data - if it was authed it would automatically pull all private data too which would be bad for users who run preview instances. Folks who do that wouldn't necessarily realize that all private data is now publicly available on that preview instance. If someone were to add the jwt auth plugin to their WP site - it wouldn't be clear that any preview instance would now be able to publicly query for the authed users token. So it's currently a big security problem to add it in.

If you check the link above there are some instructions on making specific private data public and that's a much more secure option.

Answer 3 · 2021-02-06T08:46:03.000Z

Thank you very much, I totally agree with your privacy concerns.

Please, can you add a snippet similar to this one related to menu items, but with the goal of publicly expose also users without posts?

Thanks!

Answer 4 · 2021-02-06T16:39:40.000Z

@jenkin I've never done that myself. I'd recommend asking on the WPGraphQL slack 👍

Answer 5 · 2021-02-09T14:46:01.000Z

For future reference, here is the solution: https://www.wpgraphql.com/2020/12/11/allowing-wpgraphql-to-show-unpublished-authors-in-user-queries/

Answer 6 · 2021-03-07T11:49:04.000Z

Sorry for the delay but i figured how to do it with this tutorial on : https://www.wpgraphql.com/2020/12/11/allowing-wpgraphql-to-show-unpublished-authors-in-user-queries/ .
To Hide sensitive data of all users becoming public, like email : https://gist.github.com/jasonbahl/b074886884c7ed4bb7548e54966514b1.
Thank you