Dont leak private users via extensions (#28023)
This commit is contained in:
parent
089ac06969
commit
c6366089df
@ -822,6 +822,11 @@ func UsernameSubRoute(ctx *context.Context) {
|
|||||||
reloadParam := func(suffix string) (success bool) {
|
reloadParam := func(suffix string) (success bool) {
|
||||||
ctx.SetParams("username", strings.TrimSuffix(username, suffix))
|
ctx.SetParams("username", strings.TrimSuffix(username, suffix))
|
||||||
context_service.UserAssignmentWeb()(ctx)
|
context_service.UserAssignmentWeb()(ctx)
|
||||||
|
// check view permissions
|
||||||
|
if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) {
|
||||||
|
ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name))
|
||||||
|
return false
|
||||||
|
}
|
||||||
return !ctx.Written()
|
return !ctx.Written()
|
||||||
}
|
}
|
||||||
switch {
|
switch {
|
||||||
|
Loading…
Reference in New Issue
Block a user