Latest Online leak (fixed with beta 16)

[DursunCanPoyraz]

When the user is blocked from appearing online, they should not appear in the user list in the last online order.

[clarkwinkelmann]

Thanks for the report. This is indeed a serious issue.

The problem actually lies with Flarum itself. The sorting ability isn't implemented by User Directory. Anyone with "View user list" permission can exploit the leak from Flarum API.

I have created an issue with details on the Flarum tracker https://github.com/flarum/core/issues/2519

I will keep this issue open for now since other people might notice the problem and come look on this repository.

[clarkwinkelmann]

The issue should be fixed in Flarum beta 16 once we merge https://github.com/flarum/core/pull/2634

We will need to remove the sort option in FoF User Directory to prevent people from getting a 400 error once the sort field no longer exists.

Since the sort field will still be available to some users, we could dynamically continue to show the sort option to users with user.viewLastSeenAt permission.

[davwheat]

Now merged into core. When beta 16 releases, this will be fixed (once you upgrade your forum, of course).

For the meantime, you could fork this ext and remove the sorting option, or fork core and patch core with this PR, or just wait it out.

[davwheat]

Reopened to keep the issue visible until beta 16 releases.

[imorland]

Resolved 0.6.0