Restrict `ShowUserController` by ID to users who can `viewUserList

[askvortsov1]

Bug Report

Current Behavior ShowUserController currently only uses viewDiscusions (via ScopeUserVisibility) to restrict who can access user profiles (changed from viewUserList in flarum/framework#2305). This makes sense when accessing the profile by slug, but we should restrict it to viewUserList when accessing by ID to prevent enumeration.

Environment

• Flarum version: beta 15

Possible Solution When not accessing by slug, a check for $user->can('viewUserList') should be done.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We do this to keep the amount of open issues to a manageable minimum. In any case, thanks for taking an interest in this software and contributing by opening the issue in the first place!