Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to limit profile views only for admin users #545

Merged
merged 4 commits into from
Mar 8, 2024
Merged

Add option to limit profile views only for admin users #545

merged 4 commits into from
Mar 8, 2024

Conversation

TonisOrmisson
Copy link
Contributor

Q A
Is bugfix? no
New feature? yes
Breaks BC? no
Tests pass? yes

Currently any user can check any other users profile. This change will add a module parameter disableProfileViewsForRegularUsers which will only allow admin level users to check other people's profiles.

@TonisOrmisson TonisOrmisson changed the title Add option to l imit profile views only for admin users Add option to limit profile views only for admin users Mar 8, 2024
@maxxer
Copy link
Collaborator

maxxer commented Mar 8, 2024

Currently any user can check any other users profile. This change will add a module parameter disableProfileViewsForRegularUsers which will only allow admin level users to check other people's profiles.

Wow... Looks like an information disclosure issue. I'd consider defaulting the new param to true.

maxxer
maxxer requested changes Mar 8, 2024
View reviewed changes
src/User/Module.php Show resolved Hide resolved
@TonisOrmisson
Copy link
Contributor Author

Currently any user can check any other users profile. This change will add a module parameter disableProfileViewsForRegularUsers which will only allow admin level users to check other people's profiles.

Wow... Looks like an information disclosure issue. I'd consider defaulting the new param to true.

Yes, I actually had the same question in mind. I definitely want this to be "closed" by default, not open as it is now. I would re-name the param if it's a wider consensus that the default should be closed. It will possibly be a breaking change then. Maybe close it by default an then do a v 1.7 release?

@TonisOrmisson
Copy link
Contributor Author

I did not check that before, but it seems the profile view page is not open to any logged in user, but also to guests. I suggest it should be 2-level closing here. 1) whether its open to logged in users vs admin 2) whether its open to guests.

I will suggest changes towards that direction in a while

@maxxer
Copy link
Collaborator

maxxer commented Mar 8, 2024

Ok, I'll merge this as-is. I'd then close up in the next release.

Do you mind creating a new issue, so others are aware of the future change and it's open for discussion?

thank you

@maxxer maxxer merged commit 29a878f into 2amigos:master Mar 8, 2024
3 checks passed
@TonisOrmisson TonisOrmisson deleted the limit-profile-view branch March 8, 2024 08:59
@TonisOrmisson
Copy link
Contributor Author

ok, I'll do that. But I would suggest to to a minor release on this one then also with this fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxxer maxxer maxxer requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TonisOrmisson @maxxer