Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18850

Unauthenticated user can retrieve the list of users through uorgsuggest.vm

    XMLWordPrintable

    Details

    • Tests:
      Unit
    • Difficulty:
      Unknown
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Pull Request Status:
      Pull Request accepted
    • Similar issues:

      Description

      An unauthenticated user can retrieve a list of users and their fullname through a public accessible URL.

      Reproducing steps:
      Navigate to :

      http://<server>/bin/login/XWikiLogin?xpage=uorgsuggest&uorg=user&wiki=&media=json
      

      Results:

      • uorgsuggest gives access to user fullname and reference even if the wiki is private

      Expected Results:

      • User fullname and documents fullname should not be accessible to anyone who don't have corresponding rights

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mleduc Manuel Leduc
              Reporter:
              gcoquard Guillaume COQUARD
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response: