You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm administering a wiki where we would like to keep the names of users confidential (unless the users choose to edit pages). For the most part this works fine, but there is a vulnerability where people can use autocomplete on User data to find names of users. I had been thinking of creating an extension with a subclass of that type where autocomplete only worked for certain trusted groups of users, but I noticed this note in the struct source code:
@todo should we have any security mechanism? Currently everybody can look up users
If I created a pull request adding a config to restrict user-lookup to certain users or groups, would this be of interest?
The text was updated successfully, but these errors were encountered:
I'm administering a wiki where we would like to keep the names of users confidential (unless the users choose to edit pages). For the most part this works fine, but there is a vulnerability where people can use autocomplete on
User
data to find names of users. I had been thinking of creating an extension with a subclass of that type where autocomplete only worked for certain trusted groups of users, but I noticed this note in thestruct
source code:If I created a pull request adding a config to restrict user-lookup to certain users or groups, would this be of interest?
The text was updated successfully, but these errors were encountered: