account/show/:user_id should not be accessible for other users not in your projects
|Category:||Accounts / authentication|
We use Redmine in a setting where certain users should not be able to see the name and email of every other user in the system. For example, when you have two separate clients involved in separate private projects, these clients shouldn't be able to access each others user profile at /account/show/:other_user_id. They should have no way of discovering other users in the same system that aren't involved in their projects.
To increase privacy and security of a Redmine system, particularily where it is not good to expose who all the users are it would be nice to restrict access to those users which are in public projects or private projects that the current user is also in.