Skip to content

Any logged in user can obtain all user emails #4502

New issue
New issue
Closed
#4512
Closed
Any logged in user can obtain all user emails#4502
#4512
Labels
modifies/apiThis PR adds API routes or modifies thempr/breakingMerging this PR means builds will break. Needs a description what exactly breaks, and how to fix it!type/bug
Milestone
1.6.0
@glitch003

Description

@glitch003
glitch003
opened on Jul 23, 2018

Description

Using the user search API, any logged in user can obtain emails of other gitea users.

For example, log into try.gitea.io then try hitting https://try.gitea.io/api/v1/users/search?q=chris in your browser and you will see the email addresses of all users with "chris" in their name.

I would suggest that showing emails should be off by default except for when viewed by admin users.

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    modifies/apiThis PR adds API routes or modifies thempr/breakingMerging this PR means builds will break. Needs a description what exactly breaks, and how to fix it!type/bug

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions