Enumeration is still possible for authenticated users

Created on 3 November 2022, about 2 years ago

Updated 5 September 2024, 3 months ago

Problem/Motivation

Drupal\user\Controller\UserController::resetPass has this message
$this->messenger()->addWarning($this->t('Another user (%other_user) is already logged into the site on this computer, but you tried to use a one-time link for user %resetting_user... that reveals the username for authenticated user. There is no access control/user role checks, so any authenticated user is able to fetch the information.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

✨ Feature request

Status

Active

Version

1.0

Component

Code

Created by

🇫🇮Finland sokru

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 5 months ago →
solideogloria
Is this still happening? I just tried it in Drupal 10.2, without using this module, and it doesn't reveal any information.
Status changed to Active 3 months ago6:25pm 5 September 2024
Comment 3 months ago →
🇺🇸United States japerry KVUO
This is correct. There is a test for it as well:
https://git.drupalcode.org/project/drupal/-/blob/11.x/core/modules/user/...

Marking as a feature request, its not blocking the current release but should be in here.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024