Is the content API exposing private data?

[sunscreem]

Bug Description

I've enabled the content API and in my api.php I've set

  'resources' => [
        'collections' => false,
    ]

I then hit:

mydomain.com/collections/news_articles/entries?filter[news_categories:contains]=category-b

And all works, the problem is I'm seeing user data:

"updated_at": "2021-05-01T14:10:37.000000Z",
      "updated_by": {
        "id": "7ea8cf2e-0377-481a-bda2-4b63ec87a2f3",
        "name": "Robert Cooper",
        "email": "******", 
        "api_url": "http:\/\/*******\/api\/users\/7ea8cf2e-0377-481a-bda2-4b63ec87a2f3"
      },
      "uri": null,
      "url": "\/"

I'm new to Statamic so I'm confident I'm just doing something dumb. Help appreciated.

Environment

Statamic 3.1.11 Pro
Laravel 8.40.0
PHP 7.4.12
jonassiewertsen/statamic-external-link 1.3.0

This seems to be happening in dev and production with debug on or off.

Install method (choose one):

• Fresh install from statamic/statamic

[duncanmcclean]

I can see where you're coming from, you may not want user information to be exposed like that.

I'm not sure if there's a way to disable updated_at and updated_by from being returned from the API, I'll leave that for someone else to answer 😆

[jasonvarga]

That's fair!

What's happening is that the API will output everything that you'd be able to use in your templates. That's your blueprint fields, etc. updated_by is included in there.

You can set the track_last_update setting to false. Then, remove the updated_by and updated_at values from your entries. This will stop those from being shown in the API.

We can work out more in depth control over those fields in the future. Or at least a simpler way to control excluding certain fields.

[sunscreem]

I think the problem here is that the docs don't show this or explain how to mitigate it.

For example, someone following the docs might not be aware that this information is publicly available (even if they use a filter)

Thanks for looking into it :)

[duncanmcclean]

Feel free to PR an update to the docs if you can find a place to add a note for it. 😄

Also, totally unrelated: nice to see a fellow 🏴󠁧󠁢󠁳󠁣󠁴󠁿 Scot on here.

[sunscreem]

Hey Folks,

Isn't this a security flaw though? Shouldn't the api be unable to expose this data unless something is specifically set to do so?

I'm worried that folk don't know their email address can be found this way.

[lotarbo]

mb its possible to add array in collection, like excluded keys/fields from content api? i want hide keys that doesnt refer to content

[jasonvarga]

In #5041 you'll be able to add excluded_keys to your config/statamic/api.php config file, which will remove those fields from API responses.

You could put updated_by in there.