Vote #65568
完了account/show/:user_id should not be accessible for other users not in your projects
0%
説明
We use Redmine in a setting where certain users should not be able to see the name and email of every other user in the system. For example, when you have two separate clients involved in separate private projects, these clients shouldn't be able to access each others user profile at /account/show/:other_user_id. They should have no way of discovering other users in the same system that aren't involved in their projects.
To increase privacy and security of a Redmine system, particularily where it is not good to expose who all the users are it would be nice to restrict access to those users which are in public projects or private projects that the current user is also in.
journals
--------------------------------------------------------------------------------
Fixed in r2986. User won't be displayed if there's no visible project or activity.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Merged in 0.8 branch in r2987.
--------------------------------------------------------------------------------
related_issues
relates,Closed,4129,Anonymous users can get all user's information
duplicates,Closed,5351,View /account/show/id-user on Redmine 0.9.2
Admin Redmine さんがほぼ2年前に更新
- カテゴリ を Accounts / authentication_7 にセット
- 対象バージョン を 0.8.6_12 にセット