Follow/follower lists exposed in API while settings are enabled that are meant to hide these

Environment

Discourse Version: v2.7.0beta1 (0034cbda8ae833962a63e0a77b7f5c84e2d8212d)

Plugin Commit: 679e0ed098ce2b1d8cb0e3e0cbf43383d782be16

Other Plugins
No other plugins that interact with default user serializer AFAIC. Too many to list here, can investigate more if it’s a conflict with another plugin on request but I doubt it.

Steps to Reproduce

  1. Set “follow show statistics on profile” to false
  2. Set “follow followers visible” setting to “none”
  3. Set “follow following visible” setting to “self”
  4. Make sure you are logged out (or on a non-staff account)
  5. Hit any JSON endpoint that serializes data from a user that has followers/following, e.g. /u/{username}.json

Expected behavior: JSON does not contain the “following”/“followers” fields

Observed behavior: JSON does contain these fields and they expose the followers/following of that user.

Example

Logs

1 Like

Thanks for the report. Will look at this when time permits.

Hey @merefield, any update there? This seems like a privacy issue to me so was wondering where this lies in terms of priority.

Is this PR-welcome?

1 Like

I will look at this in about 3 weeks time after the release of my current project.

In the meantime, PR-welcome for sure :+1:

Thanks for the reminder. I’ve set a reminder for myself :slight_smile:

2 Likes

OK I believe I’ve fixed this as of:

However, on existing installs, you must remove the follow entries in the site setting “public_user_custom_fields” by entering the app container and then the rails console and doing the following:

[1] pry(main)> SiteSetting.public_user_custom_fields
=> "geo_location|followers|following"
[2] pry(main)> SiteSetting.public_user_custom_fields = "geo_location"
=> "geo_location"
[3] pry(main)>
1 Like

Got it, thanks for these details and for the fix!

1 Like