Any logged in user can obtain all user emails

[glitch003]

• Gitea version (or commit ref): 1.4.3
• Git version: 2.17.1
• Operating system: Ubuntu 14.04
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant

Description

Using the user search API, any logged in user can obtain emails of other gitea users.

For example, log into try.gitea.io then try hitting https://try.gitea.io/api/v1/users/search?q=chris in your browser and you will see the email addresses of all users with "chris" in their name.

I would suggest that showing emails should be off by default except for when viewed by admin users.

Thanks!

[johanhugg]

Where in that example does it show the email address? I tried searching for my name, and a part of my email that is not in my name, and it didn't show up.

I have also looked at the code for this before and it shouldn't consider email.

[adelowo]

It shows the email only if you are signed in...

[johanhugg]

Oh, whoops. Yeah, just tried, that definitely seems like a bug.

[adelowo]

This looks like something that should be fixed ... #4490 is kind of similar except for admins

[lafriks]

Why should not it show emails in API?

[glitch003]

Well, why does it already block showing emails if the user making the request is not logged in?

I figured the reasons are user privacy and not wanting spammers to use Gitea instances as a place to harvest email addresses.

I think most web services let users choose whether or not to expose their email, and few expose it by default. Github has a "Keep my email address private" option, for example.

[johanhugg]

Yeah, the keep email private option is misleading then, since it doesn't

[lafriks]

API should respect keep email private address setting. If it does not it is a bug

[johanhugg]

Please try this for yourself on the try.gitea instance

Would love to know when the fix will be officially released for this.

Chris do check your email. :)