- πΊπ¦Ukraine AstonVictor
I'm closing it because the issue was created a long time ago without any further steps.
if you still need it then raise a new one.
thanks
This patch fixes an information disclosure flaw as it does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to.
For example, it may expose a complete list of existing user accounts (user name and ID) to anonymous users: http://example.com/mpac/autocomplete/menu/users When an attacker knows a username they can start a brute force attack to gain access with that user.
In this patch:
1. Only logged in users can access autocomplete path.
2. Add autocomplete path into admin paths.
3. If users don't have "access user profiles permission", user alias are excluded from results.
Closed: outdated
1.0
Code
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
I'm closing it because the issue was created a long time ago without any further steps.
if you still need it then raise a new one.
thanks