| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
| Cc: | Jelte Fennema-Nio <me(at)jeltef(dot)nl>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Early December Commitfest app release |
| Date: | 2025-11-15 13:04:54 |
| Message-ID: | CABUevEx=MvxutrwREiS=SaOHpeDjivfqDbvjfaq+iw5jaMwWhQ@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Nov 12, 2025, 22:48 Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>
wrote:
> On Tue, Nov 11, 2025 at 2:12 AM Jelte Fennema-Nio <me(at)jeltef(dot)nl> wrote:
> > 3. Make user dropdowns searchable when not logged in
>
> Adding Magnus -- Magnus, do you remember the rationale for re-adding
> this protection back in 6ff8c6a52? Does it still apply?
>
Yes, IIRC we had security complaints about people being able to enumerate
all users without being logged in. Since it's not just users who submitted
any data, it was enough to just having clicked a link once...
If it was restricted to only show those that had actually submitted into it
would've probably been considered OK - but at the time it was not
considered to be worth the effort to split those up.
/Magnus
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David G. Johnston | 2025-11-15 13:23:39 | Re: Document NULL |
| Previous Message | jian he | 2025-11-15 11:11:38 | Re: ON CONFLICT DO SELECT (take 3) |