Defect #4129: Anonymous users can get all user's information - Redmine

Defect #4129

Anonymous users can get all user's information

Added by Lluís Vilanova over 12 years ago. Updated over 12 years ago.

Status:

Closed

Start date:

2009-10-28

Priority:

Normal

Due date:

Assignee:

% Done:

Category:

Accounts / authentication

Target version:

Resolution:

Duplicate

Affected version:

Description

Everybody (even anonymously) can crawl on the '/account/show/<number>' path, getting a list of:
- all user names
- on which day did they create their account
- email (if public)

I think redmine should show the 404 page when accessing '/account/show/<number>' if the accessor sees no activity for that user.

This check would solve all the cases: anonymous accesses as well as logged in users which should not know anything about other users (either not collaborating in a project or not in a public project).

This sounds easy to code, but I have no ruby knowledge; sorry.

Thanks

Related issues

Associated revisions

Revision 2986
Added by Jean-Philippe Lang over 12 years ago

Do not show user profile if no visible project or activity (#4129, #3720).

History

#1 Updated by Lucas Panjer over 12 years ago

same problem as #3720, slightly different solution.

#2 Updated by Jean-Philippe Lang over 12 years ago

Category set to Accounts / authentication
Status changed from New to Closed
Resolution set to Duplicate

Kind of dup of #3720. Anyway, this is fixed in r2986.

Also available in: Atom PDF

	Related to Redmine - Feature #3720: account/show/:user_id should not be accessible for other ...	Closed	2009-08-07
	Duplicated by Redmine - Defect #5351: View /account/show/id-user on Redmine 0.9.2	Closed	2010-04-19	2010-04-21

Redmine

Issues