WIP: pkgs/forgejo: empty /explore/users (UNTESTED) #84

Closed

ckie wants to merge 1 commit from forgejo-hide-users into main

pull from: forgejo-hide-users

merge into: the-distro:main

the-distro:main

the-distro:builder

the-distro:email-groups

the-distro:cache-ipv4

the-distro:format

the-distro:acls

the-distro:hexchen/colmena-checker

the-distro:hexy/credentials

the-distro:buildbot

the-distro:ckie/moarr-v4

the-distro:gerrit-metrics

the-distro:moar-builders

the-distro:unplug-epyc

the-distro:hydra-wire-up

the-distro:alertmanager

the-distro:fodwatch

the-distro:cadvisor-containers

the-distro:gerrit-http-clones

the-distro:meta01

Conversation 4 Commits 1 Files changed 1 +4

ckie commented 2024-07-30 00:46:27 +00:00

Member

Copy link

this is 3am wandering around . i didn't test because it's too much of a pain to wire it up rn.

looks harmless, you can just deploy and rollback if it doesn't work ><

this is 3am wandering around . i didn't test because it's too much of a pain to wire it up rn. looks harmless, you can just deploy and rollback if it doesn't work ><

ckie added 1 commit 2024-07-30 00:46:31 +00:00

pkgs/forgejo: empty /explore/users 96aa1a4cf2

networkexception requested review from emilylange 2024-07-30 13:07:00 +00:00

emilylange commented 2024-07-30 17:50:55 +00:00

Member

Copy link

Hmm so as I mentioned on Matrix yesterday some time after this PR, the proper way to do this would be setting "service.explore".DISABLE_USERS_PAGE = true;¹.

But even with that, the API is still wide open. So it really depends on what the motivation behind this is.
If we want to hide all users completely, this is the wrong approach. If we want to hide the most obvious user listing, this works.

Also, something I just found out: Forgejo embeds "participants", "assignees" and "mentionable teams" of a given repository into the HTML as Javascript array of some repository views.

This is intended for stuff like the @username autocomplete when writing a comment under an issue or selecting an assignee/reviewer.

But of course Forgejo injects this unconditionally whether you are logged in (and have permissions to actually do those things) or not.

This is really great (/s) for repositories with, say, hundreds of participants, because it puts almost always unnecessary load on the database looking up hundreds of users and their username, display name and avatar url.

---

1. https://forgejo.org/docs/latest/admin/config-cheat-sheet/#service---explore-serviceexplore ↩︎

Hmm so as I mentioned on Matrix yesterday some time after this PR, the proper way to do this would be setting `"service.explore".DISABLE_USERS_PAGE = true;`[^1]. But even with that, the API is still wide open. So it really depends on what the motivation behind this is. If we want to hide all users completely, this is the wrong approach. If we want to hide the most obvious user listing, this works. Also, something I just found out: Forgejo embeds "participants", "assignees" and "mentionable teams" of a given repository into the HTML as Javascript array of some repository views. This is intended for stuff like the `@username` autocomplete when writing a comment under an issue or selecting an assignee/reviewer. But of course Forgejo injects this unconditionally whether you are logged in (and have permissions to actually do those things) or not. This is really great (/s) for repositories with, say, hundreds of participants, because it puts almost always unnecessary load on the database looking up hundreds of users and their username, display name and avatar url. [^1]: https://forgejo.org/docs/latest/admin/config-cheat-sheet/#service---explore-serviceexplore

emilylange changed title from pkgs/forgejo: empty /explore/users (UNTESTED) to WIP: pkgs/forgejo: empty /explore/users (UNTESTED) 2024-07-30 17:51:54 +00:00

ckie commented 2024-07-30 22:51:25 +00:00

Author

Member

Copy link

If we want to hide all users completely, this is the wrong approach. If we want to hide the most obvious user listing, this works.

a bit of privacy is better than none, i think. naturally with all of this we're just raising the effort necessary, and that's natural.

feel free to submit a new pr (or take over this one!) with "service.explore".DISABLE_USERS_PAGE = true; (^:

> If we want to hide all users completely, this is the wrong approach. If we want to hide the most obvious user listing, this works. a bit of privacy is better than none, i think. naturally with all of this we're just raising the effort necessary, and that's natural. feel free to submit a new pr (or take over this one!) with `"service.explore".DISABLE_USERS_PAGE = true;` (^:

👍 1

emilylange commented 2024-07-30 23:52:52 +00:00

Member

Copy link

Resolved in commit 96d58bbd41.

See https://git.forkos.org/explore/users :)

Resolved in commit 96d58bbd412cac8fda2707284478cfaf16555306. See https://git.forkos.org/explore/users :)

emilylange closed this pull request 2024-07-30 23:52:53 +00:00

ckie commented 2024-07-31 00:00:32 +00:00

Author

Member

Copy link

wonderful <3

wonderful <3

ckie deleted branch forgejo-hide-users 2024-07-31 00:01:05 +00:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No reviewers

emilylange

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: the-distro/infra#84

No description provided.