flarum / issue-archive

0 stars 0 forks source link

Restrict `ShowUserController` by ID to users who can `viewUserList #157

Open askvortsov1 opened 3 years ago

askvortsov1 commented 3 years ago

Bug Report

Current Behavior ShowUserController currently only uses viewDiscusions (via ScopeUserVisibility) to restrict who can access user profiles (changed from viewUserList in flarum/framework#2305). This makes sense when accessing the profile by slug, but we should restrict it to viewUserList when accessing by ID to prevent enumeration.

Environment

Possible Solution When not accessing by slug, a check for $user->can('viewUserList') should be done.

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We do this to keep the amount of open issues to a manageable minimum. In any case, thanks for taking an interest in this software and contributing by opening the issue in the first place!