Knowing the URL, reader users can reach other users edit form. They can't edit any information, but they can still read it.
The text was updated successfully, but these errors were encountered:
Same goes for the show users page. Knowing the URL, it is possible for a reader user to see other user's information.
Sorry, something went wrong.
After further consideration, I think being able to see other user's profiles from alert callbacks and other places is a good idea, so I'm closing this issue.
I spotted some issues with user authorisation in other actions, so I created #1088 to fix them.
Successfully merging a pull request may close this issue.