How to hide username from url.
Plucompany - October 3, 2009 - 08:52
| Project: | Global Redirect |
| Version: | 6.x-1.2 |
| Component: | Documentation |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
Hi. I found out that when an users access a userid via this url:
user/1
The url in the browser is changed to:
users/admin
This means that users can find out each others usernames.
This problem occurs not only for user 1 (admin) but for all users.
Can this be changed so that users cannot see each others usernames?
#1
First I've heard of this.
http://drupal.org/user/612730
... doesn't do so.
Have you set pathauto to do this or something?
However those pages DO of course show the actual username - because that's what the page is for. Did you try disabling access to user profiles in the permissions?
#2
Aha found it. Turns out that the module Global Redirect is responsible.
When the request to user/1 is done it replies that the page cannot be found and redirects to users/admin.
Not sure if this is a bug in global redirect or its a feature?
#3
Certainly sounds like intentional, nice behaviour to me. Not sure if it's worth asking to make this optional, it's an odd request.
Did you check the settings to see if it can be toggled?
#4
No this cannot be toggled.
Seems to me that this can be a security issue.
We use ubercart for our webshop, it creates users based on an email adres, e.g. "john_doe@hotmail.com" is converted to user "john_doe"
So an anonymous user can find out how many customers we have and possibly find out who they are.
#5
OK, I understand the reason now - that helps ;-)
So you're right, it may be a significant issue.
Ensuring 'access user profiles' is off will help a certain amount, but you can still deduce the number of users because you get either "Access denied" or "Page not found" messages depending. Hm.
And if global redirect is renaming the URL like you say, then I think it's a valid and secure request to check permissions to 'access user profiles' before it does so.
#6
I've checked my site permisions, even if access user profiles is turned off for the anonymous user.
It is still possible to get the username via the url.
#7
sorry did not mean to change status
#8
A quick glance at the code (I don't use the module):
<?php// If menu checking is enabled, do the check. Feature disabled by default.
if ($menu_check == GLOBALREDIRECT_MENU_CHECK_ENABLED) {
// Check the access on the current path, return FALSE if access not allowed. This stops redirection for paths without access permission.
$item = menu_get_item();
_menu_check_access($item, $item['map']);
if (!$item['access']) return FALSE;
}
?>
looks like it has this option.
From the project page:
#9
Ok thats right so setting Menu Access Checking to enabled in Global redirect config solves this.
If its turned on the username isnt returned.
But this feature is disabled by default and that leaves a security issue.
Thanks a lot for your help!
#10
We learned something today :-)
#11
Automatically closed -- issue fixed for 2 weeks with no activity.