-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to limit profile views only for admin users #545
Conversation
Wow... Looks like an information disclosure issue. I'd consider defaulting the new param to |
Yes, I actually had the same question in mind. I definitely want this to be "closed" by default, not open as it is now. I would re-name the param if it's a wider consensus that the default should be closed. It will possibly be a breaking change then. Maybe close it by default an then do a v 1.7 release? |
I did not check that before, but it seems the profile view page is not open to any logged in user, but also to guests. I suggest it should be 2-level closing here. 1) whether its open to logged in users vs admin 2) whether its open to guests. I will suggest changes towards that direction in a while |
Ok, I'll merge this as-is. I'd then close up in the next release. Do you mind creating a new issue, so others are aware of the future change and it's open for discussion? thank you |
ok, I'll do that. But I would suggest to to a minor release on this one then also with this fix |
Currently any user can check any other users profile. This change will add a module parameter
disableProfileViewsForRegularUsers
which will only allow admin level users to check other people's profiles.