Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Autocomplete security for User datatype #690

Open
cmacmackin opened this issue Nov 18, 2023 · 1 comment · May be fixed by #695
Open

Autocomplete security for User datatype #690

cmacmackin opened this issue Nov 18, 2023 · 1 comment · May be fixed by #695

Comments

@cmacmackin
Copy link
Contributor

cmacmackin commented Nov 18, 2023

I'm administering a wiki where we would like to keep the names of users confidential (unless the users choose to edit pages). For the most part this works fine, but there is a vulnerability where people can use autocomplete on User data to find names of users. I had been thinking of creating an extension with a subclass of that type where autocomplete only worked for certain trusted groups of users, but I noticed this note in the struct source code:

@todo should we have any security mechanism? Currently everybody can look up users

If I created a pull request adding a config to restrict user-lookup to certain users or groups, would this be of interest?

@splitbrain
Copy link
Member

Sure a pull request (with tests) would be welcome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants