Require viewUserList to get user by ID #2573
Conversation
askvortsov1
force-pushed
the
as/require-view-user-list-to-get-user-by-id
branch
from
68b9e80
to
a4a8541
Compare
This makes it more difficult to scape the API for users
askvortsov1
force-pushed
the
as/require-view-user-list-to-get-user-by-id
branch
from
a4a8541
to
ec4fafb
Compare
There was a problem hiding this comment.
Couldn't this cause issues with extensions that use GET /api/users/id to refresh a user profile? That's a hypothetical, but just like clicking on homepage refreshes the current user, an extension might generate a request to it when clicking on the same profile you are on to refresh. Would the extension have access to the required information to make the request using the correct slugging?
Actually speaking of current user, doesn't this break the exact feature I describe? Doesn't clicking on homepage or notifications refreshes the user by making a request to their own profile by ID? We would have to allow making a request by ID to the current actor at the very least.
Other thing, can't you obtain the same information by hitting PATCH /api/users/id without any attributes ?
|
These are good points. Assuming the correct serializer is always used, do we even want to prevent ID-based enumeration in core? |
|
I feel like the problem of enumeration would be best solved by a community extension that would replace increment IDs with a different ID system. Preventing enumeration while still using increments seems complicated to pull off correctly. And switching to UUIDs or other ID systems is probably a bit too radical to include in core (unless we decide to switch all IDs away from increments). |
Fixes https://github.com/flarum/core/issues/2560
This makes it more difficult to scape the API for users.
Is there another place where this check would be more appropriate? I'm unsure about putting it in the repository since that method is used by other classes.