Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Profile information is globally viewable #11

Closed
dburgoyne opened this issue Feb 19, 2015 · 2 comments
Closed

Profile information is globally viewable #11

dburgoyne opened this issue Feb 19, 2015 · 2 comments
Labels
bug

Comments

@dburgoyne
Copy link
Contributor

By explicitly specifying a user ID in the query string, any user can view any other user's profile page. This also allows a user to indirectly determine the total number of if-me users.

Steps to reproduce:
Log in as any user and make a GET request of the form http://www.if-me.org/profile?userid=N, where N is any integer. If a user with ID N exists, their profile page will be returned. Otherwise, HTTP 404 is returned.
@dburgoyne dburgoyne added the bug label Feb 19, 2015
@dburgoyne dburgoyne mentioned this issue Feb 19, 2015
Closed
@jzshen
Copy link
Collaborator

jzshen commented Apr 11, 2015

Should users have a username then to counteract the problem?

@julianguyen
Copy link
Member

That shouldn't be necessary. I refactored the model for users and allies so that this problem is fixed. Let me know if it isn't though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@julianguyen @dburgoyne @jzshen