pythondotorg icon indicating copy to clipboard operation
pythondotorg copied to clipboard
verified publisher icon python

fix: return an empty profile page when not found

Open miketheman opened this issue 1 year ago • 2 comments

Description

Return an identical empty page to prevent user enumeration.

miketheman avatar Dec 27 '24 19:12 miketheman

I’m not positive we even need or use the public profile page. Removing unauthenticated access to this view entirely is likely the correct move.

ewdurbin avatar Dec 27 '24 20:12 ewdurbin

On a little closer review, I think we should probably do away with the slugged URLs:

https://github.com/python/pythondotorg/blob/023121f3efd852679d31814c55c1d56a8a426033/users/urls.py#L41-L42

and replace them with /users/profile/detail and /users/profile/delete, then add a test_func matching the UserDeleteView to the UserDetail view that allows people to view their own details only.

ewdurbin avatar Jan 02 '25 12:01 ewdurbin