Project

General

Profile

Actions
Copy link

Defect #4129

closed

Anonymous users can get all user's information

Added by Lluís Vilanova about 15 years ago. Updated about 15 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
2009-10-28
Due date:
% Done:

0%

Estimated time:
Resolution:
Duplicate
Affected version:

Description

Everybody (even anonymously) can crawl on the '/account/show/<number>' path, getting a list of:
- all user names
- on which day did they create their account
- email (if public)

I think redmine should show the 404 page when accessing '/account/show/<number>' if the accessor sees no activity for that user.

This check would solve all the cases: anonymous accesses as well as logged in users which should not know anything about other users (either not collaborating in a project or not in a public project).

This sounds easy to code, but I have no ruby knowledge; sorry.

Thanks

Related issues

Related to Redmine - Feature #3720: account/show/:user_id should not be accessible for other users not in your projectsClosed2009-08-07

Actions
Has duplicate Redmine - Defect #5351: View /account/show/id-user on Redmine 0.9.2Closed2010-04-192010-04-21

Actions
Actions
Copy link
 #1

Updated by Lucas Panjer about 15 years ago

same problem as #3720, slightly different solution.

Actions
Copy link
 #2

Updated by Jean-Philippe Lang about 15 years ago

  • Category set to Accounts / authentication
  • Status changed from New to Closed
  • Resolution set to Duplicate

Kind of dup of #3720. Anyway, this is fixed in r2986.

Actions
Copy link

Also available in: Atom PDF