You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
(Report received out-of-band from a user unwilling to use Github):
From the docs (and our intention):
404 Not Found — Returned if the room does not exist, or is configured as inaccessible (and this user doesn't have access)."
And to a larger extent, the return of a 404 when actions are performed on rooms with all permissions disabled.
From a cursory check, it seems that both a manual "accessible" check and an @auth.accessible_required decorator are missing from several routes in rooms.py, messages.py and views.py, potentially allowing a user to scan for existing room names.
The web viewer, for instance, returns 403 instead of 404 for an inaccessible room.
The text was updated successfully, but these errors were encountered:
(Report received out-of-band from a user unwilling to use Github):
From the docs (and our intention):
And to a larger extent, the return of a 404 when actions are performed on rooms with all permissions disabled.
From a cursory check, it seems that both a manual "accessible" check and an @auth.accessible_required decorator are missing from several routes in rooms.py, messages.py and views.py, potentially allowing a user to scan for existing room names.
The web viewer, for instance, returns 403 instead of 404 for an inaccessible room.
The text was updated successfully, but these errors were encountered: