Dont leak private users via extensions (#28023)

This commit is contained in:
6543 2023-11-13 23:30:24 +01:00 committed by GitHub
parent 089ac06969
commit c6366089df
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -822,6 +822,11 @@ func UsernameSubRoute(ctx *context.Context) {
reloadParam := func(suffix string) (success bool) {
ctx.SetParams("username", strings.TrimSuffix(username, suffix))
context_service.UserAssignmentWeb()(ctx)
// check view permissions
if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) {
ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name))
return false
}
return !ctx.Written()
}
switch {