Update 'username' theme template to use 'view label' operation.

There are other things not tied to access user profiles: showing the user picture in comments and nodes.

Hm? So what do you suggest we display if the user cannot see the user name?

Rough mock-up of the new node display:

This is not a content

Authored by [shhh. it's a secret] on [you don't want to know or I will have to kill you]

...

Even "by (a registered user)" could be considered an information leak.

The current user profile is susceptible of information leakage too. I'm just writing a module that should hide users existence accordingly to their privacy setting.

Hiding their profile is a hack... you can return a 404 too late and still you've to drupal_set_title.
It should be possible to add permission checks much earlier to save resources so it would make even harder to guess uid existence comparing response time.

Then there is user_autocomplete...

@ivanSB: The autocomplete callback in user.module is restricted to the 'access user profiles' permission. Not sure what you're referring to.

I'm thinking to a more general problem... completely hide user existence... selectively.

I'm thinking about http://drupal.org/project/profile_privacy (that fortunately has already a D7 branch) and OG (or any other group management solution).

There is no standard way to set if a user would like to make its profile private or become completely anonymous and which details to show and if and how he want to be contacted (too broad but could be improved giving some "hooks" to other modules to change the visibility of profile fields).

There are other details that a user may wish to hide (last time logged in, update time, email, timezone, language...).

Dealing with these with a more uniform interface may make easier to eg. grant access to groups or cascading module modifications to these details.

eg if I want to prevent modules to link to a profile I've to redefine the theme('username'. Setting $object->uid=null in hook_nodeapi is risky, because something downstream may need it etc...

Maybe the authors of profile_privacy may share some insight and experience.

Marked #899650: Drupal should not reveal existence of registered specific email addresses to unauthorized users as duplicate.

Issue with http://drupal.org/user/number - will display user details but in my site we restricted as "Access denied You are not authorized to access this page." with standard template format.
but in html source code display in <body class="page not-front not-logged-in no-sidebars page-users-xxxxxxx section-users " >
This is issue reported in our security testing!

Moving back to 8.x-dev

hello ,

I think that when could increment security adding to core something like USERNAME and other field USER LOGIN NAME or something like at the register user form .I did it for drupal 6 with some form alters.In this case you can know the name but into the login form you ask for USER LOGIN NAME (or email if you want) and you increment the security.ALso we could hide emails and other things from permissions...

I'd like to have this on D8, so I'll try to do something about it. Tagging as security btw.

Should this be on template_preprocess_username? Not sure if it could be too late on the page generation flow and it could be hijacked by a buggy theme. If that is OK, it could be as simple as adding a new permission, and not filling $variables['name] and $variables['name_raw'].

This is how this first patch starts.

If it's the right path to follow, this will need tests.

Fix at least the existing tests by adding the permission.

Only a minor issue making "an invisible user" configurable? Maybe cut-out "an", because "an" is maybe only needed for the info field.

But a more major issue would be, if the preprocess is the right place. I'm not sure about it, because themers can mess around with it, but I do not have a better idea yet.
On user load you can't work with user name on any other place.
On user view it only would affect the profile page.

Another pending issue is that it shows: " invisible user (not verified) ". The "non verified" string is another info leak.

Here's a different take on it.

A general issue is there is not a standard way to check for access on a user object, unlike nodes. So instead of adding a new permission specially for seeing usernames, this patch introduces a generic "access users" permission that acts like "access content" permission does for nodes, and a user_access_user function that acts like node_access does for node, and checks that.

I like the symmetry, but shouldn't this follow #1696660: Add an entity access API for single entity access?

Hm, that and #777578: Add an entity query access API and deprecate hook_query_ENTITY_TYPE_access_alter() are extremly overlapping.

It could, but not without depedening on the other patch, and should be simple enough to change once/if #1696660: Add an entity access API for single entity access lands.

Entity access and #1862752: Implement entity access API for users landed. Is this issue now duplicate?

Would be great if we could bring this into D8.

Patch applies nicely.

+++ b/core/modules/user/user.module
@@ -495,6 +519,75 @@ function user_preprocess_block(&$variables) {
+    $account = $GLOBALS['user'];

Would be $account = \Drupal::currentUser(); ?

Here is a new approach to this issue. Patch at #29 is outdated by far and is using old D7 stuff. The naming of the "Invisible user" is to be discussed and if the string should be a variable or something else?

Here is a new patch. Last one didn't remove the user id in markup.

Applied changes against 8.2.x branch and removing Needs Reroll tag as I could apply the patch, so no reroll is needed.

Creating patch with 8.3.x branch and changing all the required items.

Seeing a lot of sceptical comments and attempts to expand the scope. Would it be beneficial to update the issue story specifying that the patch is targeting the Username Enumeration vulnerability and not anything else.

Note for developers: the patch should alter the way Drupal sends 403 or 404 response in cases where an anonymous user is accessing a profile page for a user that exists in the system vs opposite. Currently it's possible to find out username existence based on response code (in particular with pathauto module redirecting to an aliased user profile page). I have described the problem in https://ivan.grynenko.com/username-enumeration-vulnerability-drupal

Note for sceptics: it's okay to have your own opinion on the issue, but please do not pollute this thread with discussions, do it somewhere else.

More similar discussions: https://www.drupal.org/node/1004778

We have an issue committed in Drupal 8.1 which introduced core use of a entity access "view label" operation. See New 'view label' entity access operation added.

Patch for this issue can be written to be based off this operation.

Per the original issue request, a contrib module is capable of mapping the access user profiles permission to "view label" operation using hook_hook_entity_access hooks. I don't think it would be correct default behaviour to hide user labels. We even have this fragment in \Drupal\user\UserAccessControlHandler:

// We don't treat the user label as privileged information, so this check
// has to be the first one in order to allow labels for all users to be
// viewed, including the special anonymous user.
if ($operation === 'view label') {
  return AccessResult::allowed();
}

New 'view label' entity access operation added introduces the string "- Restricted access -" for when access to view the label of an entity is restricted.

Fixed link

Access to view the the account label is now controlled by the entity 'view label' operation. This does not affect non-users.

• Added associated tests for above behaviours.
• Using the username theme template will now automatically add appropriate cache tags from the user entity.
• Added tests to make sure cachability data from 'view label' access is added to the template.
• Added tests to check for truncated user names, since I broke them while developing the patch, and Drupal did not complain.
• The '- Restricted access -' translatable string is used when the current user does not have permission to view the account label. This is the same string used elsewhere in Drupal when 'view label' is not granted, it was introduced with New 'view label' entity access operation added.

This patch does not inherit code from previous efforts.

Wrong version, try again.

Quick fix: fixed issue with new test not ordering expected tags alphabetically.

Interdiff with #64

Rerolling against 8.7.x.

Ergh

Reroll and fix deprecations

Reroll in #71 missed the new UserTemplateTest.

I've rerolled from #67 for 9.2.x and I think I've captured the deprecations from #76 as well.

Let's see what the testbot says about it.

Ah. Missed one.

This should fix 6 of the 7 errors - the other one... I'm not sure why that's happening.

Tried to fix the remaining failed cases.

Nice one @anmolgoyal74.

The restricted user permission was being interrupted by the 'sub-admin' permission in the test setup. This change will make the test pass according to local testing but it needs someone else to take a good look at it to make sure I'm not breaking some logic, because I don't yet understand what that sub-admin test is doing.

I think we have bumped into the same problem ;S Maybe we should join our effort in the other issuer?

@mxr576 that doesnt seem appropriate, this issue has a very concise scope. The solution for #3240913: Make username access configurable and not implicit allowed already exists, so perhaps it can be rescoped to a general initiative wherein the 'view label' operation is increasingly used.

But until username access is always allowed in Drupal core and access check is missing from several places, I see less value in solving the task at hand here. Yes, a contrib modules can minimally benefit from this fix although because usernames are not always printed with '#theme' => 'username'; neither in core, nor in contrib modules, therefore, a proper fix cannot be provided on downstream projects either.

The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.