[Magento_Version] Do not publicly disclose store version

[kassner]

Hi,

Looks like we have this particular Magento_Version module, that the unique purpose is to disclose publicly which Magento version and edition the store is running. Although is a good idea to allow other systems that integrate to Magento retrieve the current version to do proper API calls, I strongly believe this should not be available wide open, but rather inside secure/authenticated endpoint.

Can we make this call authenticated? Or maybe remove the module at all? Why outsiders need to know which minor version a particular store is running?

Thanks!

[avoelkl]

I agree, I would not show this as a public available information per default.

[veloraven]

@kassner your proposition looks like an improvement.
Could you please transfer it to the new Magento 2 Feature Requests and Improvements forum (see details here)?

[kassner]

@veloraven no, I think it is a security issue, not a feature request.

[veloraven]

@kassner than please format it according to the Issue reporting guidelines: with steps to reproduce, actual result and expected result.
Please, also identify which version of Magento you are running.

[veloraven]

According to contributor guide, tickets without response for two weeks should be closed.
If this issue still reproducible please feel free to create the new one: format new issue according to the Issue reporting guidelines: with steps to reproduce, actual result and expected result and specify Magento version.

[kassner]

@benmarks @sherrierohde What is the point of having community moderators if the only thing they do is poking about a damn ticket structure?

[miguelbalparda]

You were told to go to the forums or reformat the issue according to the guidelines and you failed to do it. These rules are probably here to keep things in order and have a clear workflow (and make things reproducible for others FWIW).
If everybody thinks the issue they are reporting is more important than others and that they don't need to follow the guidelines because "the only thing they (community moderators) do is poking about a damn ticket structure" this would be a total chaos.
Guidelines are clear and moderators are just following them. Go ahead and restructure this or go to the forums, there is no need to be rude with the moderators because you don't like the way they manage things around here.