From d7408d8b0b04afd2a3c8e23cc908e7bd3849f34d Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Tue, 14 Nov 2023 07:03:56 +0800
Subject: [PATCH] Dont leak private users via extensions (#28023) (#28028)

Backport #28023 by @6543

there was no check in place if a user could see a other user, if you
append e.g. `.rss`

(cherry picked from commit 69ea554e2362e5c4943c2463c2ec547bf631f18b)
---
 routers/web/user/home.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/routers/web/user/home.go b/routers/web/user/home.go
index 3a7630fb32..1dfbafafa7 100644
--- a/routers/web/user/home.go
+++ b/routers/web/user/home.go
@@ -821,6 +821,11 @@ func UsernameSubRoute(ctx *context.Context) {
 	reloadParam := func(suffix string) (success bool) {
 		ctx.SetParams("username", strings.TrimSuffix(username, suffix))
 		context_service.UserAssignmentWeb()(ctx)
+		// check view permissions
+		if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) {
+			ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name))
+			return false
+		}
 		return !ctx.Written()
 	}
 	switch {