From 322383b0847426cb92533528a784471b94193a3b Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Wed, 30 Jan 2019 21:07:56 -0800
Subject: Always returns a 404 otherwise people might guess which user exist

---
 app/Controller/BaseController.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'app/Controller')

diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php
index 637c3db1..1dd7d372 100644
--- a/app/Controller/BaseController.php
+++ b/app/Controller/BaseController.php
@@ -153,7 +153,8 @@ abstract class BaseController extends Base
         }
 
         if (! $this->userSession->isAdmin() && $this->userSession->getId() != $user['id']) {
-            throw new AccessForbiddenException();
+            // Always returns a 404 otherwise people might guess which user exist.
+            throw new PageNotFoundException();
         }
 
         return $user;
-- 
cgit v1.2.3