Closed TonisOrmisson closed 7 months ago
Currently any user can check any other users profile. This change will add a module parameter disableProfileViewsForRegularUsers which will only allow admin level users to check other people's profiles.
Wow... Looks like an information disclosure issue. I'd consider defaulting the new param to true
.
Currently any user can check any other users profile. This change will add a module parameter disableProfileViewsForRegularUsers which will only allow admin level users to check other people's profiles.
Wow... Looks like an information disclosure issue. I'd consider defaulting the new param to
true
.
Yes, I actually had the same question in mind. I definitely want this to be "closed" by default, not open as it is now. I would re-name the param if it's a wider consensus that the default should be closed. It will possibly be a breaking change then. Maybe close it by default an then do a v 1.7 release?
I did not check that before, but it seems the profile view page is not open to any logged in user, but also to guests. I suggest it should be 2-level closing here. 1) whether its open to logged in users vs admin 2) whether its open to guests.
I will suggest changes towards that direction in a while
Ok, I'll merge this as-is. I'd then close up in the next release.
Do you mind creating a new issue, so others are aware of the future change and it's open for discussion?
thank you
ok, I'll do that. But I would suggest to to a minor release on this one then also with this fix
Currently any user can check any other users profile. This change will add a module parameter
disableProfileViewsForRegularUsers
which will only allow admin level users to check other people's profiles.