Security bug: User is able to see language statistics even no role is granted

[tibormarchynzoom]

Describe the issue

When you have user which does not belong to any group, any role and does not have any permission, he is still able to navigate to Languages -> Browse all languages and see all currently used languages on Weblate server.

I already tried

N/A

To Reproduce the issue

1. Create any user
2. Ensure that user does not belong to any group, any role or any project (even not Viewers or Users)
3. Navigate to Languages -> Browse all languages
4. languages are listed

Expected behavior

Languages must not be listed

Screenshots

Exception traceback

N/A

Server configuration and status

Weblate 4.5.1

Weblate deploy checks

N/A

Additional context

N/A

[nijel]

This is documented behaviour:

[github-actions]

This issue looks more like a support question than an issue. We strive to answer these reasonably fast, but purchasing the support subscription is not only more responsible and faster for your business but also makes Weblate stronger. In case your question is already answered, making a donation is the right way to say thank you!

[tibormarchynzoom]

thanks, but don't you think it's wrong to show those data? especially if you really want to keep your environment secure.

[nijel]

If you don't want users to have access to any data in Weblate, don't let them register. Registered users will always be able to get some information from the service. The current scope is merely caused by implementation, and is documented.

[comradekingu]

@tibormarchynzoom How do you think it is wrong to show that data?
In my view it is a great feature, not a "security bug"…

[github-actions]

This issue has been automatically marked as stale because there wasn’t any recent activity.

It will be closed soon if no further action occurs.

Thank you for your contributions!