Previously edited private user URLs will redirect instead of 404'ing

[VillainsRule]

Description

Say you are a user named "a", where your profile is set to limited or private. Users not signed in can't see your profile. You decide to rename yourself to "b". Users not signed in visiting the /a profile URL will be visibly redirected to /b (and then shown a 404), which poses a concern since it essentially 'leaks' that this "b" user exists as well as their previous username.

Gitea Version

latest

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

N/A

Screenshots

No response

Git Version

No response

Operating System

Linux

How are you running Gitea?

I'm using systemd, although this isn't process-specific.

Database

SQLite

[lunny]

This may be a regression from #34034

[wxiaoguang]

This may be a regression from #34034

How could it be related? 34034 only touches the "rename repo" logic for "git route handlers". Why it affects a "owner"'s redirection?

[lunny]

The Lookup checking should be moved after permission checking. https://github.com/go-gitea/gitea/pull/34032/files

[wxiaoguang]

The Lookup checking should be moved after permission checking. https://github.com/go-gitea/gitea/pull/34032/files

Again, how could it be related?

The issue description says "Users not signed in visiting the /a profile URL will be visibly redirected to /b (and then shown a 404)", but your screenshot only shows githttp.go, it's not related to "user profile". Even if the githttp has a problem, that's a new problem.

[lunny]

Because the reqGitSignIn has been removed which is assumed to have been checked. When checking the permission, the first step is to check the repository in the database, the current logic is to redirect if the repository doesn't exist before returned ctx.Resp.Header().Set("WWW-Authenticate", Basic realm="Gitea")

redirect ref: https://github.com/go-gitea/gitea/blob/main/routers/web/repo/githttp.go#L113
auth ref: https://github.com/go-gitea/gitea/blob/main/routers/web/repo/githttp.go#L148

[wxiaoguang]

Are we talking about the same thing?

The issue is asking about "Users not signed in visiting the /a profile URL will be visibly redirected to /b", they are "owner" handlers and related to "renamed user"

But your "githttp.go" is ONLY for GIT CLIENT access and related to "rename repo".

[VillainsRule]

I'm here to clarify that this is not related to #34034, as that refers to repository renaming and this issue refers to owner renaming and owner privacy.