## Background An anonymous user can currently use the API to retrieve information about any GitLab user by either ID or username: - Anonymous users CANNOT use the [API endpoint to list all users](https://docs.gitlab.com/ee/api/users.html#list-users). An anonymous request returns 403 Forbidden unless there is a `username` parameter. That is deliberate. From [20f679d6](https://gitlab.com/gitlab-org/gitlab/-/commit/20f679d620380b5b5e662b790c76caf256867b01): "The issue filtering frontend code needs access to this [username] API for non-logged-in users + public projects.") - Anonymous users CAN use the [API endpoint to get a single user by numeric ID](https://docs.gitlab.com/ee/api/users.html#single-user). An anonymous request returns 200 OK with the user's information. This may not be deliberate. ## Problem to solve Anonymous users can enumerate GitLab users through the [API endpoint to get a single user](https://docs.gitlab.com/ee/api/users.html#single-user) (`/api/v4/users/:id`), because the `:id` values are numeric and sequential. It seems this shouldn't be allowed in general, and also seems different from our treatment of the [API endpoint to list all users](https://docs.gitlab.com/ee/api/users.html#list-users) specifically. ## Proposal Anonymous users should not be able to get user information by ID. Note: This proposal is only feasible if there is no frontend dependency (like there is with `username` lookup). Since same attack is applicable for `/api/v4/users/:id/followers` and `/api/v4/users/:id/following` we should require authentication for those endpoints too. ## Out of scope The [API endpoint to "lookup users by username"](https://docs.gitlab.com/ee/api/users.html#for-normal-users) should not be changed, because the frontend relies on this endpoint for anonymous users, and this endpoint is not as vulnerable to enumeration. ## Related links - This problem was noticed in https://gitlab.com/gitlab-org/gitlab/-/issues/288853.