Merge pull request #24 from nicksantamaria/2133887-prevent-enumeration-userpage

Prevent enumeration on user profile pages.

Merge pull request #24 from nicksantamaria/2133887-prevent-enumeration-userpage
98b6759c · Nick Santamaria · GitHub · 455ee6da · 12e31766 · 98b6759c
Unverified Commit 98b6759c authored 6 years ago by Nick Santamaria Committed by GitHub 6 years ago
--- a/tests/simpletest/username_enumeration_prevention.test
+++ b/tests/simpletest/username_enumeration_prevention.test
@@ -104,4 +104,24 @@ class UsernameEnumerationPreventionTestCase extends DrupalWebTestCase {
    return $email;
  }
+  /**
+   * Submit the password reset form and check for resulting messaging.
+   */
+  public function testUserPageEnum() {
+    // Add some fake uids.
+    $uids = [13, 22, 1098];
+    // Create some real users.
+    for ($i = 0; $i < 5; $i++) {
+      $user = $this->drupalCreateUser();
+      $uids[] = $user->uid;
+    }
+    foreach ($uids as $uid) {
+      // Hit user/[uid] and ensure a 404.
+      $this->drupalGet(sprintf("user/%d", $uid));
+      $this->assertResponse(404, t('Page not found error returned when viewing user profile pages.'));
+    }
+  }
 }
--- a/username_enumeration_prevention.module
+++ b/username_enumeration_prevention.module
@@ -9,6 +9,23 @@
 * only for users with the access user profiles permission.
 */
+/**
+ * Implements hook_menu_alter().
+ */
+function username_enumeration_prevention_menu_alter(&$items) {
+  $items['user/%user']['delivery callback'] = 'username_enumeration_prevention_delivery_wrapper';
+}
+/**
+ * Converts 403 Access Denied responses to 404 Not Found on user profiles.
+ */
+function username_enumeration_prevention_delivery_wrapper($page_callback_result) {
+  if ($page_callback_result == MENU_ACCESS_DENIED) {
+    $page_callback_result = MENU_NOT_FOUND;
+  }
+  drupal_deliver_html_page($page_callback_result);
+}
 /**
 * Implements hook_form_FORM_ID_alter().
 *