Defect #4129

Anonymous users can get all user's information

Added by LluĂ­s Vilanova almost 8 years ago. Updated almost 8 years ago.

Status:ClosedStart date:2009-10-28
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:-
Resolution:Duplicate Affected version:

Description

Everybody (even anonymously) can crawl on the '/account/show/<number>' path, getting a list of:
- all user names
- on which day did they create their account
- email (if public)

I think redmine should show the 404 page when accessing '/account/show/<number>' if the accessor sees no activity for that user.

This check would solve all the cases: anonymous accesses as well as logged in users which should not know anything about other users (either not collaborating in a project or not in a public project).

This sounds easy to code, but I have no ruby knowledge; sorry.

Thanks


Related issues

Related to Redmine - Feature #3720: account/show/:user_id should not be accessible for other ... Closed 2009-08-07
Duplicated by Redmine - Defect #5351: View /account/show/id-user on Redmine 0.9.2 Closed 2010-04-19 2010-04-21

Associated revisions

Revision 2986
Added by Jean-Philippe Lang almost 8 years ago

Do not show user profile if no visible project or activity (#4129, #3720).

History

#1 Updated by Lucas Panjer almost 8 years ago

same problem as #3720, slightly different solution.

#2 Updated by Jean-Philippe Lang almost 8 years ago

  • Category set to Accounts / authentication
  • Status changed from New to Closed
  • Resolution set to Duplicate

Kind of dup of #3720. Anyway, this is fixed in r2986.

Also available in: Atom PDF