Commit 4b7afea7 authored by Matthias Bernt's avatar Matthias Bernt
Browse files

never exopose user info to non authenticated users 

fixes https://github.com/galaxyproject/galaxy/issues/20505

should be fine is non-authenticated users can't share anything
(not sure about this)
parent 968ef131

lib/galaxy/webapps/galaxy/services/users.py

+5 −4
Original line number Diff line number Diff line
@@ -202,6 +202,10 @@ class UsersService(ServiceBase): 
        f_name: Optional[str],

        f_any: Optional[str],

    ) -> List[MaybeLimitedUserModel]:

        # never give any info to non-authenticated users

        if not trans.user:

            return []



        # check for early return conditions

        if deleted:

            if not trans.user_is_admin:
@@ -216,10 +220,7 @@ class UsersService(ServiceBase): 
                and not trans.app.config.expose_user_name

                and not trans.app.config.expose_user_email

            ):

                if trans.user:

                return [UserModel(**trans.user.to_dict())]

                else:

                    return []



        users = get_users_for_index(

            trans.sa_session,