OpenEnergyPlatform / oeplatform

Repository for the code of the Open Energy Platform (OEP) website. The OEP provides an interface to the Open Energy Family
http://openenergyplatform.org/
GNU Affero General Public License v3.0
62 stars 19 forks source link

List of all registered OEP is scrapable #1244

Closed l-emele closed 1 year ago

l-emele commented 1 year ago

Description of the issue

With the current pattern of the URLs of the profile pages it is very easy to scrape a full list of all people that are registered to the OEP.

Steps to Reproduce

  1. Produce a list by simply incrementing the number at the end of the URL. For example, this is my profile: https://openenergy-platform.org/user/profile/120

Ideas of solution

Describe possible ideas for solution and evaluate advantages and disadvantages.

Context and Environment

Workflow checklist

l-emele commented 1 year ago

Related to #1240

jh-RLI commented 1 year ago

We have just updated the OEP with a hotfix that hides sensitive information like e-mail from other users (registered/public). Users are still scrapable, but this doesn't seem to be a problem as long as no private data is affected. Wht do yu think?

l-emele commented 1 year ago

Even the fact that you are registered is private data. We mention nowhere in the privacy policy statement that the fact that you are registered will be publicly available. The statement not even mentions a profile page. Therefore I still regard this as a major issue of privacy.

jh-RLI commented 1 year ago

Please check again if my last correction is sufficient for you. The profile pages are still accessible, but appear empty if the user is not logged in or if the current user is not the owner of a profile.

l-emele commented 1 year ago

This solution is fine to me.

jh-RLI commented 1 year ago

Great :) I'll close this issue now and we'll continue the discussion once we've agreed on the next steps.