I reply to all queries on the forums and via email, once per day, Monday to Friday (not weekends).

If you are new here, please see some information on how to ask for support. Thank you!

Reply To: *URGENT – SECURITY BUG*

dashed-slug.net Forums General discussion *URGENT – SECURITY BUG* Reply To: *URGENT – SECURITY BUG*

#2351
alexg
Keymaster

Thank you for reporting this. I am posting here for the benefit of anyone else reading this.

You describe that the get_user_info JSON call divulges user names. This is not a bug, but works as intended and is documented behavior.

I do intend to replace this API in the future with something that does not divulge user names, but it will be done when I rework the API because it’s an architectural change and is tied to a lot of other things that also need to change.

For the time being you can disable the “send funds to user” capability from any user roles that you do not wish to be able to see user names. These users will not be able to initiate internal transfers or use the [wallets_move] shortcode, but the deposit/withdrawal functionality will still be there.

Again thanks for reporting.