Addressed user detail harvesting issue

Altered access & usage of the /search/users/select endpoint with the following changes: - Removed searching of email address to prevent email detail discovery via hunting via search queries. - Required the user to be logged in and have permission to manage users or manage permissions on items in some way. - Removed the user migration option on user delete unless they have permission to manage users. For #3108 Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/ Reported by @haxatron
2025-07-30 04:23:11 +03:00 · 2021-12-14 18:47:22 +00:00
parent 867cbe15ea
commit e765e61854
5 changed files with 114 additions and 19 deletions
--- a/resources/views/users/delete.blade.php
+++ b/resources/views/users/delete.blade.php
@ -12,17 +12,19 @@

            <p>{{ trans('settings.users_delete_warning', ['userName' => $user->name]) }}</p>

-            <hr class="my-l">
+            @if(userCan('users-manage'))
+                <hr class="my-l">

-            <div class="grid half gap-xl v-center">
-                <div>
-                    <label class="setting-list-label">{{ trans('settings.users_migrate_ownership') }}</label>
-                    <p class="small">{{ trans('settings.users_migrate_ownership_desc') }}</p>
+                <div class="grid half gap-xl v-center">
+                    <div>
+                        <label class="setting-list-label">{{ trans('settings.users_migrate_ownership') }}</label>
+                        <p class="small">{{ trans('settings.users_migrate_ownership_desc') }}</p>
+                    </div>
+                    <div>
+                        @include('form.user-select', ['name' => 'new_owner_id', 'user' => null, 'compact' => false])
+                    </div>
                </div>
-                <div>
-                    @include('form.user-select', ['name' => 'new_owner_id', 'user' => null, 'compact' => false])
-                </div>
-            </div>
+            @endif

            <hr class="my-l">