From 27f12f7be90f6c797991570cf76d75f29dbc0d57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jes=C3=BAs=20Espino?= <jesus.espino@kaleidos.net>
Date: Wed, 1 Oct 2014 23:49:23 +0200
Subject: [PATCH] Fixed security bug on users info

---
 taiga/users/api.py         | 3 +--
 taiga/users/permissions.py | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/taiga/users/api.py b/taiga/users/api.py
index e342a34c..89fd9429 100644
--- a/taiga/users/api.py
+++ b/taiga/users/api.py
@@ -54,8 +54,7 @@ class MembersFilterBackend(BaseFilterBackend):
                 return queryset.filter(Q(memberships__project=project) | Q(id=project.owner.id)).distinct()
             else:
                 raise exc.PermissionDenied(_("You don't have permisions to see this project users."))
-        else:
-            return queryset
+        return []
 
 
 class UsersViewSet(ModelCrudViewSet):
diff --git a/taiga/users/permissions.py b/taiga/users/permissions.py
index 2c3c8c9c..c067fa19 100644
--- a/taiga/users/permissions.py
+++ b/taiga/users/permissions.py
@@ -27,7 +27,7 @@ class IsTheSameUser(PermissionComponent):
 class UserPermission(TaigaResourcePermission):
     enought_perms = IsSuperUser()
     global_perms = None
-    retrieve_perms = AllowAny()
+    retrieve_perms = IsTheSameUser()
     update_perms = IsTheSameUser()
     destroy_perms = IsTheSameUser()
     list_perms = AllowAny()