API leaks user info

Kyrne

SoLux The permission viewUserList

Ralkage

I did notice that setting viewUserList to "Everyone" does not allow guests to view the user list via API GET or just /api/users. I have always assumed that "Everyone" included gusts as well? @Kyrne Some insight if possible since we are on this topic.

It is returning:

{ "errors": [ { "status": "404", "code": "resource_not_found" } ] }
Even when viewUserList is set to "Everyone".

SoLux

That would only mean registered users, I think otherwise it would show up with Google perhaps?
As it'd change every time someone registers.

Kyrne

Ralkage everyone should be everyone, as users means registered users.

Ralkage

@Kyrne @SoLux Everyone would include "Guests" as well because viewDiscussions works as intended. The bug I am pointing out can be explained as so:

I am Flarum Administrator, I want to hide my forum discussions from the public and only allow registered users to see them. I go into my Admin CP, set "View discussions" in the permissions section to "Members" (aka Registered Users) and staff only. To test, I hit the API and call /api/discussions while my header includes my Authentication token that I generated to test this permission. This returns data successfully. I now revoke/remove my Authentication token, try a GET request again and it returns:

{ "links": { "first": "http://reflar.dev/api/discussions" }, "data": [] }
This works as intended and in reverse as well.

This, however, does not work the same for the "viewUserList" permission. It completely ignores the fact that I set this permission to "Everyone" as I did with "viewDiscussions".

Pollux

Ralkage It completely ignores the fact that I set this permission to "Everyone" as I did with "viewDiscussions".

I guess you mean set this permission to "Members"?

Ralkage

Pollux

The assumption is that when viewUserList is set to "Everyone", me, as the guest who just landed on this site can access the member list via API. It is still acting as if the permission change did not even occur. I consider this a functionality bug.

Pollux

I still don't get what you want, respectively what is not working as you would expect.

Ralkage The assumption is that when viewUserList is set to "Everyone", me, as the guest who just landed on this site can access the member list via API.

That's what I would expect too (and that's exactly what's happening in my forum). The discussions are hidden from guests, the user list is not, both in accordance with your settings. What would you expect.

Ralkage

Pollux It's working the complete opposite for me as even if I set it visible for "Guests", they still can't view the user list. This is supposed to be possible with the viewUserList permission addition in Beta 7. I set the permission to "Everyone" and guests can view the user list, that is supposed to happen as it behaves the same with viewDiscussions with the similar setting in place. Your issue may be isolated from mine, but we did manage to stumble into another one lol.

Do you have any 3rd party extensions currently installed?

Pollux

Ralkage Do you have any 3rd party extensions currently installed?

Yes, I use Flagrow User Directory (version 0.1.0) and it's working fine.

Ralkage we did manage to stumble into another one lol.

That's how it looks like. ?

Ralkage

Pollux That may be your issue right there, have you tried disabling that package, clearing your Flarum cache as well as browser cache? Two different permissions, one built into core and one in Flagrow's User Directory extension, they could be clashing in some way.

The last update to User Directory was 4 months ago, before Beta 7 released.

Pollux

I can see clearly now ...

Having the User Directory extension enabled doesn't make a difference, I tried it with and without.

Im my experiments with your scenario I did however restrict the permission to view discussions only globaly, assuming that this would override settings for specific tags. That was may mistake.

If I also restrict the permission to view discussions for every tag that comes with its own rules, I can indeed observe, what you described, the api call to /api/users reveales an essentially empty json response.

Pollux

And yes, I do see this behaviour as a bug too.

datitisev

In my testing, everything has worked just fine. flarum/core1245 (comment)
Not sure why it would return an empty array, as that code wasn't changed.
And yes, Everyone includes guests, for members there is a Members option.

Franz

Hmm, we could think about using non-incremental unique keys for user IDs... that way, it would not be possible to get information about users (especially those who have never posted) just by incrementing a number in the URL.

SoLux On the other hand, which of the information in Kyrne do you think should not be exposed?

0E800

Franz
I believe it should not give out information related to:

Toby is the admin.
Toby joined 2014
Toby was last seen 2017
If Toby was also in any other groups.

I could imagine this information would be helpful in a social engineering campaign.
Granted this info can be gleamed by simply joining the forum, but if you got yourself a simple python script,
you could supply a list of flarum sites, and scrape data to a csv with users info + anything else they might not realize, like twitter accounts and email addresses. Push that data to your spearfishing campaign script or twitterbot flood user profile, troll, etc.

I am not a professional this is just my 2cents.

Ralkage

Franz Didn't esoTalk go by user ID followed by the username? I like that approach.

For example: 207-Ralkage

Pollux

0E800 I believe it should not give out information related to:

Toby is the admin.
Toby joined 2014
Toby was last seen 2017
If Toby was also in any other groups.

Wasn't it the explicit wish of @Ralkage to let guests view the user list? If he wouldn't want that, he could simply revoke that permission.

On the other hand, I would like to somewhat restrict the amount of information given to non-members. Like Franz Franz, we shouldn't allow anyone (not even registered users) to systematically iterate the whole userbase. I would like to show e.g. only users online to non-members and only users with at least one post to members. And I would probably like to share less of the user information with guest than with members.

To do that, we would need more fine-grained permission settings for different user groups (including recentness of activity) and the items revealed within the user profile (eg. join date, last seen, bio and contact information). This looks like a decent extension proposal to me.

Ralkage Didn't esoTalk go by user ID followed by the username? I like that approach.

A more robust way to target this problem is to assign a unique random identifier to each user account that would never change, even if the username might be changed one day or deleted. That way existing @-mentions would become future proof.

Franz

Ralkage For example: 207-Ralkage

As only the ID is the real identifier here, it is usually possible to access the page with any other string after the ID as well. Try 207-XXX. You can try it with this discussion's URL as well. ?

jordanjay29

Ralkage Also, 207-Ralkage is problematic for database purposes. If someone were to change their username (let's say Ralkage changes his name to MisterBubbles), now every instance of 207-Ralkage in the database needs to be changed to 207-MisterBubbles. And if something is missed, like a table created by an extension that doesn't also hook into the username change function, features can be broken and Flarum could cease to work.

@Pollux Mentions are currently not future proof, either, fyi. They still have the username hardcoded.