Defect #4129
Anonymous users can get all user's information
Status: | Closed | Start date: | 2009-10-28 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 0% | |
Category: | Accounts / authentication | |||
Target version: | - | |||
Resolution: | Duplicate | Affected version: |
Description
Everybody (even anonymously) can crawl on the '/account/show/<number>' path, getting a list of:
- all user names
- on which day did they create their account
- email (if public)
I think redmine should show the 404 page when accessing '/account/show/<number>' if the accessor sees no activity for that user.
This check would solve all the cases: anonymous accesses as well as logged in users which should not know anything about other users (either not collaborating in a project or not in a public project).
This sounds easy to code, but I have no ruby knowledge; sorry.
Thanks
Related issues
Associated revisions
History
#1
Updated by Lucas Panjer over 12 years ago
same problem as #3720, slightly different solution.
#2
Updated by Jean-Philippe Lang over 12 years ago
- Category set to Accounts / authentication
- Status changed from New to Closed
- Resolution set to Duplicate