You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Current Behavior ShowUserController currently only uses viewDiscusions (via ScopeUserVisibility) to restrict who can access user profiles (changed from viewUserList in flarum/framework#2305). This makes sense when accessing the profile by slug, but we should restrict it to viewUserList when accessing by ID to prevent enumeration.
Environment
Flarum version: beta 15
Possible Solution
When not accessing by slug, a check for $user->can('viewUserList') should be done.
The text was updated successfully, but these errors were encountered:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We do this to keep the amount of open issues to a manageable minimum.
In any case, thanks for taking an interest in this software and contributing by opening the issue in the first place!
Bug Report
Current Behavior
ShowUserController
currently only usesviewDiscusions
(viaScopeUserVisibility
) to restrict who can access user profiles (changed fromviewUserList
in flarum/framework#2305). This makes sense when accessing the profile by slug, but we should restrict it toviewUserList
when accessing by ID to prevent enumeration.Environment
Possible Solution
When not accessing by slug, a check for $user->can('viewUserList') should be done.
The text was updated successfully, but these errors were encountered: