Massive security problem!

Please fill out these questions for all feature requests and bug reports. If you're requesting a feature, please let us know why this feature is important or useful, not just what it should do.

  1. What browsers show this problem? serverside/all
  2. Please share an example project (if possible).
  3. Describes the steps to reproduce this issue.
  4. What does Snap! currently do? Reveal user information that should not be public.
  5. What should Snap! do instead? respond with a big fat HTTP 403

please thanos :snap: this bug

Whoa! Right you are, we shouldn't be leaking email addresses. Thanks for reporting it!

@bromagosa, this one's for you.

Hmmm... Are you sure? Did you try with a different user than yourself? (Not you, @bh, you're an admin)

I've just tried it. It does leak any user's information.
EDIT: I've also searched, but they don't have any record, so that's OK.

Okay, I'm totally overworked right now and can't spend a minute on anything else :worried:

Can @cycomachead take a look maybe?

As am I.

I’ll see what I can do. I don’t have a good idea of everywhere this is used.

Also, for security issues PLEASE do not report things publicly.

I am double booked

I support this suggestion. It sounds like a good idea.

Found and fixed. It was a stupid operator precedence error that was affecting not just this one user permission assertion... :worried:

Thanks for reporting!

p.s. As @cycomachead suggested, in the future please use to report security issues.

I forgot to say, this kind of error could have never happened in a blocks-based language! :stuck_out_tongue_winking_eye:

Bless you!

By the way, I didn't try this on anyone other than another account I had.