Anonymous users can get all user's information
|Category:||Accounts / authentication|
Everybody (even anonymously) can crawl on the '/account/show/<number>' path, getting a list of:
- all user names
- on which day did they create their account
- email (if public)
I think redmine should show the 404 page when accessing '/account/show/<number>' if the accessor sees no activity for that user.
This check would solve all the cases: anonymous accesses as well as logged in users which should not know anything about other users (either not collaborating in a project or not in a public project).
This sounds easy to code, but I have no ruby knowledge; sorry.