Skip to:
Content

Opened 4 years ago

Closed 4 years ago

#2828 closed defect (fixed)

How to query for users (ID, slug, email, etc...)

Reported by: johnjamesjacoby Owned by: johnjamesjacoby
Milestone: 2.5.8 Priority: normal
Severity: normal Version: 2.0
Component: Component - Users Keywords: has-patch
Cc:

Description (last modified by johnjamesjacoby)

Right now, via bbp_parse_query() it's possible to query for users in 3 different ways:

  • Numeric ID - ?bbp_user=1
  • Nicename Slug - ?bbp_user=admin
  • Email Address - ?bbp_user=jjj@bbpress.org

My thoughts:

  • ID makes sense, and mirrors WordPress's ?author=1 functionality
  • Nicename makes sense, because it is the vanity version of a user's login
  • Email address, makes less sense to me, and has the potential to be abused

(Note: Nicename and Email methods require pretty permalinks to be configured for the site bbPress is active on.)

Hat tip glynwintle for the original report.

Attachments (3)

2828.diff (952 bytes) - added by tharsheblows 4 years ago.
don't allow user queries by email address and, if permalinks active, by id
2828.2.diff (1002 bytes) - added by tharsheblows 4 years ago.
update comment
2828.3.diff (1.5 KB) - added by netweb 4 years ago.

Download all attachments as: .zip

Change History (10)

#1 @johnjamesjacoby
4 years ago

See also r2917 and #1475. I have a faint memory of talking about this on IRC, and my guess is we concluded that having more explicit queries map to WP_User::get_data_by() was the way to go.

Last edited 4 years ago by johnjamesjacoby (previous) (diff)

#2 @johnjamesjacoby
4 years ago

  • Description modified (diff)

#3 @tharsheblows
4 years ago

This is a fairly serious privacy issue as email addresses are assumed to be private and being able to search for users via an email address isn't expected. I'd feel much more comfortable treating this as a security issue and fixing the email query issue then discussing the rest. (I patched my live site immediately after reading this.)

@tharsheblows
4 years ago

don't allow user queries by email address and, if permalinks active, by id

@tharsheblows
4 years ago

update comment

@netweb
4 years ago

#4 @netweb
4 years ago

  • Keywords has-patch added; 2nd-opinion removed
  • Milestone changed from Under Consideration to 2.5.8

Agreed, email address here has potential abuse written all over it from a privacy stand point.

As @tharsheblows points out recently on BuddyPress Trac a decision was made to avoid posting "privacy" related issues on Trac and treat them as a security issue, we should do the same.

Original IRC discussion re #1475 here

2828.3.diff refreshes 2828.2.diff with PHPDoc changes.

This ticket was mentioned in Slack in #bbpress by tharsheblows. View the logs.


4 years ago

#6 @johnjamesjacoby
4 years ago

In 5813:

Users: Remove is_email() check from user query parsing.

This commit removes the ability to load a user profile via their email address. This feature (added in r2917) was a convenience mechanism to make finding a user within the forums with a known address easier, but times have changed and we now consider this to be a privacy concern by default.

Note: this will break backwards-compatibility for installations that may have used this unpublicized (and regrettably unwise) feature.

See #2828. Hat-tip netweb. For 2.6 (trunk)

#7 @johnjamesjacoby
4 years ago

  • Owner set to johnjamesjacoby
  • Resolution set to fixed
  • Status changed from new to closed

In 5814:

Users: Remove is_email() check from user query parsing.

This commit removes the ability to load a user profile via their email address. This feature (added in r2917) was a convenience mechanism to make finding a user within the forums with a known address easier, but times have changed and we now consider this to be a privacy concern by default.

Note: this will break backwards-compatibility for installations that may have used this unpublicized (and regrettably unwise) feature.

Fixes #2828. Hat-tip netweb. For 2.5.8 (2.5 branch)

Note: See TracTickets for help on using tickets.