Kiailandi added a comment.

Right now the CREATE, UPDATE and DELETE endpoint do not have user authentication and the only "layer of security" is client side.

This means that by following the standard user workflow only logged in users can access data manipulation pages and can edit their datasets or update new ones, but technically anyone can access any dataset by doing request directly to the endpoint.

Considering that creating new datasets is possible for any user anyway and that to update a dataset you need to provide well structured and valid data we can live with that, but given the far worse consequences of an ill intentioned DELETE we will close the DELETE endpoint for the time being, until a proper server-side authentication system will be implemented.



To: Kiailandi
Cc: Aklapper, Hjfocs, Lahi, Gq86, GoranSMilovanovic, Kiailandi, QZanden, dachary, LawExplorer, Wikidata-bugs, aude, Ricordisamoa, Sjoerddebruin, Tpt, Mbch331
Wikidata-bugs mailing list

Reply via email to