Open askvortsov1 opened 3 years ago
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We do this to keep the amount of open issues to a manageable minimum. In any case, thanks for taking an interest in this software and contributing by opening the issue in the first place!
Bug Report
Current Behavior
ShowUserController
currently only usesviewDiscusions
(viaScopeUserVisibility
) to restrict who can access user profiles (changed fromviewUserList
in flarum/framework#2305). This makes sense when accessing the profile by slug, but we should restrict it toviewUserList
when accessing by ID to prevent enumeration.Environment
Possible Solution When not accessing by slug, a check for $user->can('viewUserList') should be done.