Using postman I query:
query MyQuery {
users {
nodes {
id
email
}
}
With an authenticated request (and admin rights), I get:
{
"data": {
"users": {
"nodes": [
{
"id": "dXNlcjox",
"email": "..."
},
{
"id": "dXNlcjoz",
"email": ".........."
},
{
"id": "dXNlcjoy",
"email": "................."
}
]
}
},
"extensions": {
"debug": []
}
}
which returns all users and that's ok
BUT !!!
with a public request I get:
{
"data": {
"users": {
"nodes": [
{
"id": "dXNlcjox",
"email": null
}
]
}
},
"extensions": {
"debug": []
}
}
Why is the node with: "id": "dXNlcjox"
exposed to a public request ?
Is this a security concern ?
Actually, this is ok.
Quoting from WP GraphQL page:
This certain node:
"id": "dXNlcjox"
happens to be the admin which for wordpress, his existence is a public information (even if his email is not).