Closed TonisOrmisson closed 7 months ago
maxxer
commented
7 months ago Currently any user can check any other users profile. This change will add a module parameter disableProfileViewsForRegularUsers which will only allow admin level users to check other people's profiles.
Wow... Looks like an information disclosure issue. I'd consider defaulting the new param to true.
TonisOrmisson
commented
7 months ago Currently any user can check any other users profile. This change will add a module parameter disableProfileViewsForRegularUsers which will only allow admin level users to check other people's profiles.
Wow... Looks like an information disclosure issue. I'd consider defaulting the new param to
true.
Yes, I actually had the same question in mind. I definitely want this to be "closed" by default, not open as it is now. I would re-name the param if it's a wider consensus that the default should be closed. It will possibly be a breaking change then. Maybe close it by default an then do a v 1.7 release?
TonisOrmisson
commented
7 months ago I did not check that before, but it seems the profile view page is not open to any logged in user, but also to guests. I suggest it should be 2-level closing here. 1) whether its open to logged in users vs admin 2) whether its open to guests.
I will suggest changes towards that direction in a while
maxxer
commented
7 months ago Ok, I'll merge this as-is. I'd then close up in the next release.
Do you mind creating a new issue, so others are aware of the future change and it's open for discussion?
thank you
TonisOrmisson
commented
7 months ago ok, I'll do that. But I would suggest to to a minor release on this one then also with this fix
Currently any user can check any other users profile. This change will add a module parameter
disableProfileViewsForRegularUserswhich will only allow admin level users to check other people's profiles.