Redmine is leaking usernames on activities index view
Redmine currently leaks usernames when the activities index view is requested with a
user_id param that has a non-visible
The cause of this is that the
@author instance variable in the activities controller is populated with the user having the
user_id argument without doing a
visible check (see source:/trunk/app/controllers/activities_controller.rb@21197#L36).
This issue has been present since Redmine 0.8 (where the user activities list feature was introduced, feature #1002) and exists up until now (trunk @ r21197). Though from 0.8 up to and including 2.6.x there wasn't an explicit setting to control user visibility. With 3.0.0 we got the user visibility feature from #11724, but this case wasn't modified to obey that particular setting.I'll leave two (cumulative) patches with test coverage:
- The first one is pretty simple. It just adds the visibility check and as a result, when the page is requested with an non-visible user, renders a 404 instantaneously. This relies on the fact that the controller already rescues
ActiveRecord::RecordNotFoundexceptions via source:/trunk/app/controllers/activities_controller.rb@21197#L83.
- The second one changes the above given behavior a bit to work in a slightly more sophisticated manner. It wraps the
@authorpopulation in a block that rescues the
ActiveRecord::RecordNotFoundexception itself and populates
@authorwith either the visible (and active) user or
nilaccording to the result of the call to
User.visible.active.find(params[:user_id]). This way Redmine doesn't throw a 404 error immediately. Instead, it will respond with a sanitized activities index view when it is requested with a
user_idparam with a
user_idargument that is not visible.
FWIW: I have no particular preference for how this leakage gets resolved. I'd be ok with both the solutions I propose.
Please let me now if more information is needed.