mirrors/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-11-04 00:11:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

Dont leak private users via extensions (#28023) (#28029)

Browse source 
Backport #28023 by @6543

there was no check in place if a user could see a other user, if you
append e.g. `.rss`
This commit is contained in:
Giteabot 2023-11-14 07:03:42 +08:00 committed by GitHub
commit eef4148935
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
routers/web/user/home.go
View file

@ -822,6 +822,11 @@ func UsernameSubRoute(ctx *context.Context) {
reloadParam := func(suffix string) (success bool) { reloadParam := func(suffix string) (success bool) {
ctx.SetParams("username", strings.TrimSuffix(username, suffix)) ctx.SetParams("username", strings.TrimSuffix(username, suffix))
context_service.UserAssignmentWeb()(ctx) context_service.UserAssignmentWeb()(ctx)
// check view permissions
if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) {
ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name))
return false
}
return !ctx.Written() return !ctx.Written()
} }
switch { switch {