From aff8f8636edff557e0b2e737a6ca4c538f4a7bf0 Mon Sep 17 00:00:00 2001
From: James Vega <jamessan@users.sourceforge.net>
Date: Sat, 19 Feb 2005 00:23:34 +0000
Subject: [PATCH] Disallow retrieving other people's capabilities and make the
 response private so we don't leak channel information.

---
 plugins/User/plugin.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/plugins/User/plugin.py b/plugins/User/plugin.py
index 945cbbdc1..007fa01c3 100644
--- a/plugins/User/plugin.py
+++ b/plugins/User/plugin.py
@@ -317,7 +317,16 @@ class User(callbacks.Plugin):
         Returns the capabilities of the user specified by <name>; if <name>
         isn't specified, returns the hostmasks of the user calling the command.
         """
-        irc.reply('[%s]' % '; '.join(user.capabilities))
+        try:
+            u = ircdb.users.getUser(msg.prefix)
+        except KeyError:
+            irc.errorNotRegistered()
+        else:
+            if u == user or u._checkCapability('owner'):
+                irc.reply('[%s]' % '; '.join(user.capabilities), private=True)
+            else:
+                irc.error(conf.supybot.replies.incorrectAuthentication(),
+                          Raise=True)
     capabilities = wrap(capabilities, [first('otherUser', 'user')])
 
     def identify(self, irc, msg, args, user, password):