The route /user/[user-id] is a "public" profile page.
By default this page is open and visible by anyone without any authorization, allowing for anyone to collect data from the system and enumerate all usernames and user start dates from the system.
There are use cases where globally public user profile pages are ok, but in many cases it is not expected and can be a unwanted/unrealized way of collecting data on your system.
The solution
Implement a visibility policy for the profile page, that can be configured to different levels, but that is CLOSED by default.
I have the PR ready, and submitting it right after this.
The problem
The route
/user/[user-id]
is a "public" profile page. By default this page is open and visible by anyone without any authorization, allowing for anyone to collect data from the system and enumerate all usernames and user start dates from the system.There are use cases where globally public user profile pages are ok, but in many cases it is not expected and can be a unwanted/unrealized way of collecting data on your system.
The solution
Implement a visibility policy for the profile page, that can be configured to different levels, but that is CLOSED by default.
I have the PR ready, and submitting it right after this.