BookStack/app/Http/Controllers/UserSearchController.php

<?php

namespace BookStack\Http\Controllers;

use BookStack\Auth\User;
use Illuminate\Http\Request;

class UserSearchController extends Controller
{
    /**
     * Search users in the system, with the response formatted
     * for use in a select-style list.
     */
    public function forSelect(Request $request)
    {
        $hasPermission = signedInUser() && (
            userCan('users-manage')
                || userCan('restrictions-manage-own')
                || userCan('restrictions-manage-all')
        );

        if (!$hasPermission) {
            $this->showPermissionError();
        }

        $search = $request->get('search', '');
        $query = User::query()
            ->orderBy('name', 'asc')
            ->take(20);

        if (!empty($search)) {
            $query->where('name', 'like', '%' . $search . '%');
        }

        return view('form.user-select-list', [
            'users' => $query->get(),
        ]);
    }
}
Added user-select input 2020-12-31 12:25:20 -05:00			`<?php`

			`namespace BookStack\Http\Controllers;`

			`use BookStack\Auth\User;`
			`use Illuminate\Http\Request;`

			`class UserSearchController extends Controller`
			`{`
			`/**`
			`* Search users in the system, with the response formatted`
			`* for use in a select-style list.`
			`*/`
			`public function forSelect(Request $request)`
			`{`
Addressed user detail harvesting issue Altered access & usage of the /search/users/select endpoint with the following changes: - Removed searching of email address to prevent email detail discovery via hunting via search queries. - Required the user to be logged in and have permission to manage users or manage permissions on items in some way. - Removed the user migration option on user delete unless they have permission to manage users. For #3108 Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/ Reported by @haxatron 2021-12-14 13:47:22 -05:00			`$hasPermission = signedInUser() && (`
Applied latest StyleCI changes 2021-12-15 08:49:20 -05:00			`userCan('users-manage')`
Addressed user detail harvesting issue Altered access & usage of the /search/users/select endpoint with the following changes: - Removed searching of email address to prevent email detail discovery via hunting via search queries. - Required the user to be logged in and have permission to manage users or manage permissions on items in some way. - Removed the user migration option on user delete unless they have permission to manage users. For #3108 Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/ Reported by @haxatron 2021-12-14 13:47:22 -05:00			`\|\| userCan('restrictions-manage-own')`
			`\|\| userCan('restrictions-manage-all')`
			`);`

			`if (!$hasPermission) {`
			`$this->showPermissionError();`
			`}`

Added user-select input 2020-12-31 12:25:20 -05:00			`$search = $request->get('search', '');`
Addressed user detail harvesting issue Altered access & usage of the /search/users/select endpoint with the following changes: - Removed searching of email address to prevent email detail discovery via hunting via search queries. - Required the user to be logged in and have permission to manage users or manage permissions on items in some way. - Removed the user migration option on user delete unless they have permission to manage users. For #3108 Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/ Reported by @haxatron 2021-12-14 13:47:22 -05:00			`$query = User::query()`
			`->orderBy('name', 'asc')`
Added user-select input 2020-12-31 12:25:20 -05:00			`->take(20);`

			`if (!empty($search)) {`
Addressed user detail harvesting issue Altered access & usage of the /search/users/select endpoint with the following changes: - Removed searching of email address to prevent email detail discovery via hunting via search queries. - Required the user to be logged in and have permission to manage users or manage permissions on items in some way. - Removed the user migration option on user delete unless they have permission to manage users. For #3108 Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/ Reported by @haxatron 2021-12-14 13:47:22 -05:00			`$query->where('name', 'like', '%' . $search . '%');`
Added user-select input 2020-12-31 12:25:20 -05:00			`}`

Addressed user detail harvesting issue Altered access & usage of the /search/users/select endpoint with the following changes: - Removed searching of email address to prevent email detail discovery via hunting via search queries. - Required the user to be logged in and have permission to manage users or manage permissions on items in some way. - Removed the user migration option on user delete unless they have permission to manage users. For #3108 Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/ Reported by @haxatron 2021-12-14 13:47:22 -05:00			`return view('form.user-select-list', [`
			`'users' => $query->get(),`
			`]);`
Added user-select input 2020-12-31 12:25:20 -05:00			`}`
			`}`