davwheat
commented
2 years ago I think this indicates a bigger issue in regard to leaking this data even when the permission is not present for the actor, no?
Closed rob006 closed 2 years ago
davwheat
commented
2 years ago I think this indicates a bigger issue in regard to leaking this data even when the permission is not present for the actor, no?
rob006
commented
2 years ago Probably yes.
I also feel that there might be performance issues since API seems to return a list of all votes for this widget, even if only the first ~15 records are relevant for this widget. So if we have 10k votes, forum will query, serialize and send a lot of data that is not really used. AFAIK likes extension had/have this problem and there were performance problems about this on forum. While this PR does not fix the leaking problem, it mitigates performance issues since votes info is not queried if this widget is not visible.
rob006
commented
2 years ago Voters are also leaking on user profile - you can see posts user voted on even if you don't have permissions to see voters.
Changes proposed in this pull request:
Currently user can see this widget even if he do not have permissions to see voters list:
After this PR this widget will respect "See who voted" permissions.
Confirmed
composer test).