API endpoint api/v3/user/<username>/overview can be used to bypass the block_anon_stalking setting

Question

API endpoint api/v3/user/<username>/overview can be used to bypass the block_anon_stalking setting

Opened this issue 3 years ago · 0 comments

The check for block_anon_stalking setting is currently only done in app/templates/usercomments.html and app/templates/userposts.html.

It should also be checked in the user_overview function of app/views/api3.py, otherwise if block_anon_stalking is enabled, it can be bypassed via this API endpoint.