Project

General

Profile

How to prohibit public access to user info

Added by Richard Rauch over 7 years ago

Hello all,
I have a security problem with my Redmine installation!
My Redmine is accessible from www, but it is hosting mostly closed projects for supporting my customers.
Actually I do not want to show to everyone, who are my customers.

But with Redmine it is possible to access a few user information (Name, email adress) without any authorisation.

Examples for Redmine.org:
http://www.redmine.org/users/1
http://www.redmine.org/users/10
http://www.redmine.org/users/100

So in general, it is possible to find the names of all my customers, when trying several user numbers.
Further, google has found already most of this links.
When somebody wants to know, if a person is a customer of my company, he needs to google for a name and some other keywords, which are related to my company.

Is there any possibility to restrict access to such user information (e.g. only for admin)?

Thanks in Advance

Richard


Replies (3)

RE: How to prohibit public access to user info - Added by Djordjije Crni over 7 years ago

Redmine configuration option "Authentication required" must be turned on (under Settings -> Authentication), and you can optionally turn on "Hide my email address" for "Default values for new users".
Set "Users visibility" to "Member of visible projects" for all roles.
Projects shouldn't have public access enabled.

RE: How to prohibit public access to user info - Added by Richard Rauch over 7 years ago

hmm,
unfortunately this is not working for me!
I wrote, "server hosts mostly closed projects". which means, that I have public content as well. e.g. product support, forum, bug tracking and wiki for products.
If I would turn on "Authentification required", then for guests without registration there is no access at all.

further question: where exactly I can set "Users visibility"? I cannot find.

RE: How to prohibit public access to user info - Added by Djordjije Crni over 7 years ago

"Users visibility" setting can be found on role editing page, since v3.0.0.

    (1-3/3)