Unauthenticated users have access to userpages/login names

Hello,

if I'm an unauthenicated user, I can browse through all user id's to show me detailed informations.
To do this, i only need the base redmine url and walk through the numbers, example for redmine.org:

https://www.redmine.org/users/1
https://www.redmine.org/users/2
...
https://www.redmine.org/users/1333

So, now I have, for example, login names and can do some bruteforce to gain access.

It is possible, to prevent unauthenticated user browsing? I think, it's an security risk.
In the roles configuration page, visibility of users for "not members" allready configured.

Regards,

Replies (2)

RE: Unauthenticated users have access to userpages/login names - Added by Holger Just 3 months ago

If you have a Redmine which allows public access (i.e. where the flag in Administration -> Settings -> Authentication* -> Require Authentication is set to No), you can restrict the users visible to anonymous users by editing the users visibility for the Anonymous role.

If you don't have any public projects that should be readable by unauthenticated users, you can also enforce authentication using the above mentioned setting. That way, the user pages are not visible to anonymous people at all.

RE: Unauthenticated users have access to userpages/login names - Added by Uwe Bueschel 3 months ago

Nice. Thank you! That solves my problem.
I deleted all users from public projects and set the visibility only to members of visible projects in the Aanonymous role.

(1-2/2)

Project

General

Profile

Redmine