Closed (fixed)
Project:
Global Redirect
Version:
6.x-1.2
Component:
Documentation
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
3 Oct 2009 at 08:52 UTC
Updated:
17 Oct 2009 at 14:00 UTC
Hi. I found out that when an users access a userid via this url:
user/1
The url in the browser is changed to:
users/admin
This means that users can find out each others usernames.
This problem occurs not only for user 1 (admin) but for all users.
Can this be changed so that users cannot see each others usernames?
Comments
Comment #1
dman commentedFirst I've heard of this.
http://drupal.org/user/612730
... doesn't do so.
Have you set pathauto to do this or something?
However those pages DO of course show the actual username - because that's what the page is for. Did you try disabling access to user profiles in the permissions?
Comment #2
Plucompany commentedAha found it. Turns out that the module Global Redirect is responsible.
When the request to user/1 is done it replies that the page cannot be found and redirects to users/admin.
Not sure if this is a bug in global redirect or its a feature?
Comment #3
dman commentedCertainly sounds like intentional, nice behaviour to me. Not sure if it's worth asking to make this optional, it's an odd request.
Did you check the settings to see if it can be toggled?
Comment #4
Plucompany commentedNo this cannot be toggled.
Seems to me that this can be a security issue.
We use ubercart for our webshop, it creates users based on an email adres, e.g. "john_doe@hotmail.com" is converted to user "john_doe"
So an anonymous user can find out how many customers we have and possibly find out who they are.
Comment #5
dman commentedOK, I understand the reason now - that helps ;-)
So you're right, it may be a significant issue.
Ensuring 'access user profiles' is off will help a certain amount, but you can still deduce the number of users because you get either "Access denied" or "Page not found" messages depending. Hm.
And if global redirect is renaming the URL like you say, then I think it's a valid and secure request to check permissions to 'access user profiles' before it does so.
Comment #6
Plucompany commentedI've checked my site permisions, even if access user profiles is turned off for the anonymous user.
It is still possible to get the username via the url.
Comment #7
Plucompany commentedsorry did not mean to change status
Comment #8
dman commentedA quick glance at the code (I don't use the module):
looks like it has this option.
From the project page:
Comment #9
Plucompany commentedOk thats right so setting Menu Access Checking to enabled in Global redirect config solves this.
If its turned on the username isnt returned.
But this feature is disabled by default and that leaves a security issue.
Thanks a lot for your help!
Comment #10
dman commentedWe learned something today :-)