Hello I have been reported some security flaws I would like to understand
User List:
All the platform users are visibles without being identified https://*domain*/directory_items.json?period=daily&order=posts_read
User details:
We can get all the user details without being identified https://*domain*/users/*user*.json
Is there a way to limit this situation or the level of user details accesible publicly?
I know if I only allow login users, all this info is blocked.
How can I keep some public info but:
Limiting the posibility of getting USERs LISTING (all the database)
After the above commit, checking the “Hide my public profile and presences features” option on Preferences → Interface does block the individual user RSS & JSON routes.
You can also uncheck the enable user directory site setting
Very fast answer. Thanks @rishabh.
I just would like you elaborate on the first point because I am not a RSS / JSON expert:
I understand I just have to rebuild to apply this fix?
what does it mean to “block the individual user RSS & JSON routes”?
And some added questions.
Is there an option to
check by default the “Hide my public profile and presences features”?
If I disable directory it is disabled even for administrators. I think should be a way to limit User directory access with more granularity (administrators, and moderators should be able to have always access I think)
I have checked “hide user profiles form public”. But Anonymous till receive a list of users, limited list but till a list. Should be an option to block all ANONYMOUS users to personal info and listing. (may this be part of what I am missing in your fix?)
