Dont leak private users via extensions (go-gitea#28023) (go-gitea#28029)

Backport go-gitea#28023 by @6543 there was no check in place if a user could see a other user, if you append e.g. `.rss`
GiteaBot · Nov 13, 2023 · eef4148 · eef4148
1 parent d412271
commit eef4148
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/routers/web/user/home.go b/routers/web/user/home.go
@@ -822,6 +822,11 @@ func UsernameSubRoute(ctx *context.Context) {
 	reloadParam := func(suffix string) (success bool) {
 		ctx.SetParams("username", strings.TrimSuffix(username, suffix))
 		context_service.UserAssignmentWeb()(ctx)
+		// check view permissions
+		if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) {
+			ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name))
+			return false
+		}
 		return !ctx.Written()
 	}
 	switch {