Defect #4129

Anonymous users can get all user's information

Added by LluĂ­s Vilanova over 2 years ago. Updated over 2 years ago.

Status:Closed Start date:2009-10-28
Priority:Normal Due date:
Assignee:- % Done:

0%
Category:Accounts / authentication
Target version:-
Affected version:devel Resolution:Duplicate

Description

Everybody (even anonymously) can crawl on the '/account/show/<number>' path, getting a list of:
- all user names
- on which day did they create their account
- email (if public)

I think redmine should show the 404 page when accessing '/account/show/<number>' if the accessor sees no activity for that user.

This check would solve all the cases: anonymous accesses as well as logged in users which should not know anything about other users (either not collaborating in a project or not in a public project).

This sounds easy to code, but I have no ruby knowledge; sorry.

Thanks

Related issues

related to Feature #3720: account/show/:user_id should not be accessible for other ... Closed 2009-08-07
duplicated by Defect #5351: View /account/show/id-user on Redmine 0.9.2 Closed 2010-04-19 2010-04-21

Associated revisions

Revision 2986
Added by Jean-Philippe Lang over 2 years ago

Do not show user profile if no visible project or activity (#4129, #3720).

History

#1
Updated by Lucas Panjer over 2 years ago

same problem as #3720, slightly different solution.

#2
Updated by Jean-Philippe Lang over 2 years ago

  • Category set to Accounts / authentication
  • Status changed from New to Closed
  • Resolution set to Duplicate

Kind of dup of #3720. Anyway, this is fixed in r2986.

Also available in: Atom PDF