Project

General

Profile

Actions

Feature #3720

closed

account/show/:user_id should not be accessible for other users not in your projects

Added by Lucas Panjer over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
Start date:
2009-08-07
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

We use Redmine in a setting where certain users should not be able to see the name and email of every other user in the system. For example, when you have two separate clients involved in separate private projects, these clients shouldn't be able to access each others user profile at /account/show/:other_user_id. They should have no way of discovering other users in the same system that aren't involved in their projects.

To increase privacy and security of a Redmine system, particularily where it is not good to expose who all the users are it would be nice to restrict access to those users which are in public projects or private projects that the current user is also in.


Related issues

Related to Redmine - Defect #4129: Anonymous users can get all user's informationClosed2009-10-28

Actions
Has duplicate Redmine - Defect #5351: View /account/show/id-user on Redmine 0.9.2Closed2010-04-192010-04-21

Actions
Actions #1

Updated by Jean-Philippe Lang over 14 years ago

  • Tracker changed from Defect to Feature
Actions #2

Updated by Jean-Philippe Lang over 14 years ago

  • Category set to Accounts / authentication
  • Status changed from New to Closed
  • Target version set to 0.8.6
  • Resolution set to Fixed

Fixed in r2986. User won't be displayed if there's no visible project or activity.

Actions #3

Updated by Jean-Philippe Lang over 14 years ago

  • Target version changed from 0.8.6 to 0.9.0
Actions #4

Updated by Jean-Philippe Lang over 14 years ago

  • Target version changed from 0.9.0 to 0.8.6

Merged in 0.8 branch in r2987.

Actions

Also available in: Atom PDF