JSON-RPC API allows anonymous content rendering

2014-03-17T02:18:00
ID ATLASSIAN:CONF-32955
Type atlassian
Reporter djohnson@atlassian.com
Modified 2017-02-17T04:33:08

Description

The renderContent method can be used by anonymous users, leaking information, and allowing macro execution.

Should the entire JSON-RPC be inaccessible to anonymous users if anonymous users can't use confluence?