Defect #34593

privacy problem on users info

Added by Fabrizio Sebastiani 9 days ago. Updated 2 days ago.

Status:Needs feedbackStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Resolution: Affected version:4.1.1

Description

If a logged-is user start to access cyclically to urls likes this:

 https://example.com/redmine/users/5
 https://example.com/redmine/users/6
 https://example.com/redmine/users/7
 ...

he/she will see get the full organization's useers, members, informations, accounts, email etc... This is a particular sensible information if organization needs to hide and protect membership information to all users.

This looks violation of privacy information. Also the organization cannot hide to any member this wide information. Looks a design lack.

History

#1 Updated by Marius BALTEANU 9 days ago

  • Status changed from New to Needs feedback

Can you access all those information using an user without permissions?

#2 Updated by Michael Troester 2 days ago

Marius BALTEANU wrote:

Can you access all those information using an user without permissions?

I can, from my (presumably) unprivileged acct. The 'hide email address' feature seems to work though. Maybe need to add more 'hide [data]' options for other sensitive data fields?

Also available in: Atom PDF