Merge pull request #24 from nicksantamaria/2133887-prevent-enumeratio…

…n-userpage Prevent enumeration on user profile pages.
nicksantamaria · Jul 6, 2018 · 98b6759 · 98b6759
2 parents 455ee6d + 12e3176
commit 98b6759
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/tests/simpletest/username_enumeration_prevention.test b/tests/simpletest/username_enumeration_prevention.test
@@ -104,4 +104,24 @@ class UsernameEnumerationPreventionTestCase extends DrupalWebTestCase {
     return $email;
   }
 
+  /**
+   * Submit the password reset form and check for resulting messaging.
+   */
+  public function testUserPageEnum() {
+    // Add some fake uids.
+    $uids = [13, 22, 1098];
+
+    // Create some real users.
+    for ($i = 0; $i < 5; $i++) {
+      $user = $this->drupalCreateUser();
+      $uids[] = $user->uid;
+    }
+
+    foreach ($uids as $uid) {
+      // Hit user/[uid] and ensure a 404.
+      $this->drupalGet(sprintf("user/%d", $uid));
+      $this->assertResponse(404, t('Page not found error returned when viewing user profile pages.'));
+    }
+  }
+
 }
diff --git a/username_enumeration_prevention.module b/username_enumeration_prevention.module
@@ -9,6 +9,23 @@
  * only for users with the access user profiles permission.
  */
 
+/**
+ * Implements hook_menu_alter().
+ */
+function username_enumeration_prevention_menu_alter(&$items) {
+  $items['user/%user']['delivery callback'] = 'username_enumeration_prevention_delivery_wrapper';
+}
+
+/**
+ * Converts 403 Access Denied responses to 404 Not Found on user profiles.
+ */
+function username_enumeration_prevention_delivery_wrapper($page_callback_result) {
+  if ($page_callback_result == MENU_ACCESS_DENIED) {
+    $page_callback_result = MENU_NOT_FOUND;
+  }
+  drupal_deliver_html_page($page_callback_result);
+}
+
 /**
  * Implements hook_form_FORM_ID_alter().
  *