[security/privacy] new user can access a complete list of users via API call #2708
Comments
|
@alx- , on github you can see the full list of users. Does it look wrong as well? As a regular user you can see reduced information about all others. We need to support teams, but for now it is the only way to collaborate with other users. |
|
AFAIK, there is no way to just dump a list of all github users via official API. Also github users may opt not to include their full name in user profile. Maybe it's somehow OK for cvat.org, though as someone who registered to test it, I find it not OK at all (that's why I didn't use my real name). For some real-life deployments it could be disastrous. Right now anyone with a link can register, confirm e-mail and get a complete list of all users on this installation. |
|
@alx- , let's think how to resolve the issue. Probably when we add teams/groups, it will be easy to address. |
nmanovic
added
enhancement
My actions before raising this issue
Expected Behaviour
GET /api/v1/users should not return a complete list of users
Current Behaviour
I realize that this end-point is used somewhere for username autocompletion. But even though there is not a lot of info there (just id, login, first name and last name), it just seems very wrong to me.
The text was updated successfully, but these errors were encountered: