fix: don't expose user existence if visitor can't view users #12447
+4
−4
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
resolves #12432
This is a slightly hacky way to fix this, but I'm not entirely sure if there aren't any plugins depending on
exposeUid/exposeGroupName
short-circuiting to a 404 on lack of the relevant value (which obvious solutions would need to change), while this ensures it still goes directly to 404 if the visitor has the relevant privilege while going to notAllowed otherwise.This way also required changes to just the middleware and not any of its consumers.
Also, this fixes the same issue for groups because the code was shared already.