Dont leak private users via extensions (#28023) (#28028)

Backport #28023 by @6543

there was no check in place if a user could see a other user, if you
append e.g. `.rss`

(cherry picked from commit 69ea554e2362e5c4943c2463c2ec547bf631f18b)
This commit is contained in:
Giteabot 2023-11-14 07:03:56 +08:00 committed by Earl Warren
parent 6dfe993913
commit d7408d8b0b
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00

View file

@ -821,6 +821,11 @@ func UsernameSubRoute(ctx *context.Context) {
reloadParam := func(suffix string) (success bool) {
ctx.SetParams("username", strings.TrimSuffix(username, suffix))
context_service.UserAssignmentWeb()(ctx)
// check view permissions
if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) {
ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name))
return false
}
return !ctx.Written()
}
switch {