Custom Post Types and Privacy Expectations

I’ve been auditing the data that is exposed by default by the API, and I’ve run across several instances where sensitive data is shown to anonymous clients. In each case, this was caused by a plugin creating custom post types with posts and meta fields set to `public` rather than `private`.

I think the potential ramifications for this are pretty huge. For example, I was able to anonymously read contact form submissions from Jetpack, because those use a custom post type. The post type is set to `private`, but the posts themselves are set to `publish`.

I was also able to read threads in private bbPress forums for the same reason, as well as sensitive data stored in post meta fields on various custom post types, because they weren’t marked as private with the `_` prefix (or the `is_protected_meta` filter).

I think the vast majority of plugins using custom post types are flawed in the same way, because up until now there haven’t been any hard consequences for improperly setting the `public` flag on a post type, or for `publishing` posts that have no front-end archive, or failing to set meta fields to private.

I think this begs a lot of questions around privacy and the expectations of site admins and plugin developers, and I wanted to start a discussion around those.

  • Should the onus for privacy be on the API, on plugin developers, or on site admins? I think the answer to this question will shape how many of the other questions are framed and answered.
  • Should the API be enabled by default?
  • Should all “public” data be exposed by default, or should the admin have to whitelist the data they want exposed?
  • Should `published` posts belonging to a `private` post type be exposed?
  • Should there be a new flag added to `create_post_type()` to indicate whether or not a post type and it’s associated posts/meta are included in JSON API output?
  • Some post authors will manually create custom fields on a post to store notes, and they won’t know anything about using the `_` prefix to make it private. How can that situation be handled?
  • Do new best practices need to be developed around privacy and custom post types, and then spread out to developers? For instance, sending an email to every plugin author in repo who calls `create_post_type()`