Merge pull request #20524 from bernt-matthias/users

[24.2] Do not expose user info to non authenticated users

Author: mvdbeek

lib/galaxy/webapps/galaxy/services/users.py

@@ -202,6 +202,10 @@ def get_index(
         f_name: Optional[str],
         f_any: Optional[str],
     ) -> List[MaybeLimitedUserModel]:
+        # never give any info to non-authenticated users
+        if not trans.user:
+            raise glx_exceptions.AuthenticationRequired("Only registered users can view the list of users")
+
         # check for early return conditions
         if deleted:
             if not trans.user_is_admin:
@@ -216,10 +220,7 @@ def get_index(
                 and not trans.app.config.expose_user_name
                 and not trans.app.config.expose_user_email
             ):
-                if trans.user:
-                    return [UserModel(**trans.user.to_dict())]
-                else:
-                    return []
+                return [UserModel(**trans.user.to_dict())]
 
         users = get_users_for_index(
             trans.sa_session,

lib/galaxy_test/api/test_users.py

@@ -47,6 +47,11 @@ def test_index(self):
         all_deleted_users = all_deleted_users_response_2.json()
         assert len([u for u in all_deleted_users if u["email"] == TEST_USER_EMAIL_INDEX_DELETED]) == 1
 
+    def test_index_anon(self):
+        with self._different_user(anon=True):
+            all_users_response = self._get("users")
+            self._assert_status_code_is(all_users_response, 403)
+
     @requires_new_user
     def test_index_only_self_for_nonadmins(self):
         self._setup_user(TEST_USER_EMAIL)