Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix bug leading to e-mail leak #3599

Merged
merged 1 commit into from Jun 29, 2021
Merged

Conversation

okybr
Copy link

@okybr okybr commented Jun 28, 2021

Talk version 4 exposes private information such as e-mail addresses to unauthenticated queries because of a simple bug. This pull-request fixes the bug and thus closes the e-mail leak.

@tessalt tessalt merged commit f9bb585 into coralproject:release/4 Jun 29, 2021
9 checks passed
Copy link

@munishsinghal munishsinghal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even after these changes, it seems user with role ADMIN & MODERATOR can still see the email address in postman with below graphql query
query Q1 { user(id: "XXXX") { email }}
query Q2 { users(query: {}) { nodes { email }}

but user with role Staff, Commentor cannot see email address.

@okybr
Copy link
Author

okybr commented Jan 11, 2022

@munishsinghal, that's how it's supposed to work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants