Why is users.php returning user's password hash?

Joomla REST API (free)

Jari Martikainen

Saturday, 31 March 2018

1 Replies

2.2K Visits

Votes

Undo

I recently added the REST API to my dev site and I was wondering if there is a reason for the users plugin to spit out the password hash?



index.php?option=com_api&app=users&resource=users&id={user_id}

will output the password hash from the user object since it is not unset on line 363 in plugins/api/users/user/users.php:



// If we have an id try to fetch the user

		if ($id = $input->get('id'))

		{

			$user = JUser::getInstance($id);

			if (!$user->id)

			{

				$this->plugin->setResponse($this->getErrorResponse(JText::_( 'PLG_API_USERS_USER_NOT_FOUND_MESSAGE' )));



				return;

			}

			// Returns password hash unless unset below.

			unset($user->password);

			$this->plugin->setResponse($user);

		}

		else

		{

			$model = new UsersModelUsers;

			$users = $model->getItems();



			foreach ($users as $k => $v)

			{

				unset($users[$k]->password);

			}



			$this->plugin->setResponse($users);

		}

Please login to post a reply

You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here. Register Here »