Possible security issue with user name-contact page

[AliasQli]

Page https://hackage.haskell.org/user/:username/name-contact can be visited without authorization where :username can be any username, and user's full name and email can be viewed on that page. This seems to be a security issue.

[AliasQli]

Quick fix: add guardAuthorised_ [IsUserId uid, InGroup adminGroup] to Distribution.Server.Features.UserDetails.handlerGetUserNameContactHtml.

[gbaz]

I don't think that we ever considered names and emails to require security -- the users are primarily package uploaders, and their contact information is expected to be public.

[phadej]

@gbaz that's plain wrong

On https://hackage.haskell.org/users/register-request it's very clearly stated that

Your email address will be used to confirm your account (and if you ever need to reset your password). It will also be used if one of the site administrators ever needs to contact you. It will not be displayed on the website (but note that email addresses in .cabal files that you upload are public).

---

the users are primarily package uploaders, and their contact information is expected to be public.

My account management email may well be different from "send all spam here" email. (or I might use [email protected] to help me organize email - small thing, but it's fun to see from which package pages bots found my email! ;) )

[gbaz]

Oh fair 'nuff. In that case a pr changing this is welcome.