<p>Well anybody can read api details though you do get a few extra bits of information (the pd flag, home location, language list and message count) if you're authenticated and reading your own details.</p>
<p>It's confusing because there is <code>/api/0.6/user/N</code> which doesn't require authentication and <code>/api/0.6/user/details</code> which does and requires the <code>allow_read_perfs</code> permission as you say but both wind up rendering the same template. The second just defaults the user to the authenticated user but if you hit the first one and are authenticated as yourself you will see the extra details.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/issues/1530#issuecomment-297281861">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABWnLWi_Qltxjou5zxGSHkfzgf95GQGWks5rzvtxgaJpZM4NIekb">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/ABWnLVQCX_W3lRY_CcYcUmoUcIu8yRkLks5rzvtxgaJpZM4NIekb.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/openstreetmap/openstreetmap-website/issues/1530#issuecomment-297281861"></link>
  <meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/openstreetmap/openstreetmap-website","title":"openstreetmap/openstreetmap-website","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/openstreetmap/openstreetmap-website"}},"updates":{"snippets":[{"icon":"PERSON","message":"@tomhughes in #1530: Well anybody can read api details though you do get a few extra bits of information (the pd flag, home location, language list and message count) if you're authenticated and reading your own details.\r\n\r\nIt's confusing because there is `/api/0.6/user/N` which doesn't require authentication and `/api/0.6/user/details` which does and requires the `allow_read_perfs` permission as you say but both wind up rendering the same template. The second just defaults the user to the authenticated user but if you hit the first one and are authenticated as yourself you will see the extra details."}],"action":{"name":"View Issue","url":"https://github.com/openstreetmap/openstreetmap-website/issues/1530#issuecomment-297281861"}}}</script>