Backport #28023 by @6543
there was no check in place if a user could see a other user, if you
append e.g. `.rss`
reloadParam := func(suffix string) (success bool) {
ctx.SetParams("username", strings.TrimSuffix(username, suffix))
context_service.UserAssignmentWeb()(ctx)
+ // check view permissions
+ if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) {
+ ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name))
+ return false
+ }
return !ctx.Written()
}
switch {