Any logged in user can obtain all user emails #4502
Comments
|
Where in that example does it show the email address? I tried searching for my name, and a part of my email that is not in my name, and it didn't show up. I have also looked at the code for this before and it shouldn't consider email. |
|
It shows the email only if you are signed in... |
|
Oh, whoops. Yeah, just tried, that definitely seems like a bug. |
|
This looks like something that should be fixed ... #4490 is kind of similar except for admins |
|
Why should not it show emails in API? |
|
Well, why does it already block showing emails if the user making the request is not logged in? I figured the reasons are user privacy and not wanting spammers to use Gitea instances as a place to harvest email addresses. I think most web services let users choose whether or not to expose their email, and few expose it by default. Github has a "Keep my email address private" option, for example. |
|
Yeah, the keep email private option is misleading then, since it doesn't |
|
API should respect keep email private address setting. If it does not it is a bug |
|
Please try this for yourself on the try.gitea instance |
|
Would love to know when the fix will be officially released for this. Chris do check your email. :) |
lafriks
added
the
pr/breaking
[x]):Description
Using the user search API, any logged in user can obtain emails of other gitea users.
For example, log into try.gitea.io then try hitting https://try.gitea.io/api/v1/users/search?q=chris in your browser and you will see the email addresses of all users with "chris" in their name.
I would suggest that showing emails should be off by default except for when viewed by admin users.
Thanks!
The text was updated successfully, but these errors were encountered: