-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Autocomplete security for User datatype #690
Comments
Sure a pull request (with tests) would be welcome. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm administering a wiki where we would like to keep the names of users confidential (unless the users choose to edit pages). For the most part this works fine, but there is a vulnerability where people can use autocomplete on
User
data to find names of users. I had been thinking of creating an extension with a subclass of that type where autocomplete only worked for certain trusted groups of users, but I noticed this note in thestruct
source code:If I created a pull request adding a config to restrict user-lookup to certain users or groups, would this be of interest?
The text was updated successfully, but these errors were encountered: