I recently added the REST API to my dev site and I was wondering if there is a reason for the users plugin to spit out the password hash?
will output the password hash from the user object since it is not unset on line 363 in plugins/api/users/user/users.php:
// If we have an id try to fetch the user
if ($id = $input->get('id'))
$user = JUser::getInstance($id);
$this->plugin->setResponse($this->getErrorResponse(JText::_( 'PLG_API_USERS_USER_NOT_FOUND_MESSAGE' )));
// Returns password hash unless unset below.
$model = new UsersModelUsers;
$users = $model->getItems();
foreach ($users as $k => $v)