Thanks for your reports.
The behavior indeed changed from beta 13 to beta 14. The change was made on purpose in flarum/core#2305 The reasoning for the change can be consulted in flarum/core#1680
However it seems like we did forget to describe it in the release post. That's an oversight, we should have made this more clear. It seems to be missing from the CHANGELOG file too, we will correct that.
Essentially "View user list" was never supposed to prevent user enumeration or user profile access. It controls the search endpoint, which allows filtering users by additional parameters, and sort them by some values.
Up to beta 13, this permission was used to partially prevent user profile access, but this caused issues and wasn't a good solution, since it never hid all of the information anyway.
So as of beta 14, it has been decided that this permission would only serve to protect the user search, and that other permissions might be introduced later for the other features.
As of beta 14 and 15, Flarum does not come with the ability to hide user profiles. This is intentional. We know that user ID and usernames can be enumerated, and we don't consider that a vulnerability.
Some solutions that could help with your situation:
The "View discussions" permission controls visibility of both all posts and all profiles. Allowing to make a fully private forum.
Then there solutions for partially public forums that could be made using the extension API:
- If the usernames must not be visible to guests, an extension could replace them with blank/other values when viewed as guest
- An extension could introduce a non-sequential ID system
If you can describe your situation in more details (what's public, what's private, how people should gain access), we might be able to make other suggestions as to how to proceed.
PS: While we talk about enumeration, in Flarum, just like in many other software, there are other endpoints which allow enumeration. The sign up form, when registrations are open, already leaks username and email existence. Likewise, the password reset feature exposes email existence.
Flarum can be hardened to protect against those leaks, but we feel this is best left to specialized extensions since on most forums the information will already be discoverable by legitimate means (username) or worsens the user experience (email).