user/*/watcher/settings is accessible to any user with 'change own settings'

Thank you for the tip.
Even if there is no risk at all, this page probably should not show anyway, should it?
I've made a 301 redirection to mydomain/search404

Thanks for noticing. I'll make it so that path returns access denied.

Hello,

Thank you for the module! I use it with a great pleasure.

This problem has one more issue. I use 1.4 version, it shows "access denied'' for anonimous users. But this address /user/1/watcher/settings (or any other /user/[uid]/watcher/settings ) accessible for any authenticated user.

So any user can change settings for any other user. It is not secure.

The problem is that the module only checks if a user has permissions to access 'change own user settings', but doesn't check if the visiting user is the accountholder. I think the below patch should resolve that (but is untested at this moment).

I think it also is a good idea to change the names of the access statusses 'change own user settings' and 'access help page' to something less generic (and more tied to the module). Proposal: 'change own watcher settings' and 'access watcher help page'.

title update

The patch is almost correct:

we only have to edit the the hook_menu:

FROM:
$items['user/%/watcher/help'] = array(

TO:
$items['user/%user/watcher/help'] = array(

Then it works properly to me

Thank you all!

The patch of http://drupal.org/node/853154#comment-4697882 was commited to 6.x-1.x-dev (in respect to http://drupal.org/node/853154#comment-5529112 comment).

It's never too late to mend :)