Administrators have some expectation when using the suggest.accounts
visibility restriction feature that users cannot get the names or
email addresses for arbitrary accounts. In fact, because account IDs
are sequential, it would be easy for an adversary to get personal
information of all users on the server by requesting every user's
dashboard.
This change reuses the visibility restrictions established for the
suggestion service, moving the logic to a common AccountControl class.
This includes changing the meaning of the suggest.accounts config
option to be a boolean indicating whether account suggestion should
happen at all, which is now orthogonal to the account visibility
restriction policy. We still recognize the old values for
suggest.accounts, with the slight behavior change that
suggest.accounts=OFF now means that users cannot access the dashboards
of any other users. Administrators who do not want this behavior can
update their configuration.
Change-Id: I7c59aaf4a6196f294848c061f55bd8dd308d939d
45baa890b0