Data privacy concern

Hello I have been reported some security flaws I would like to understand

User List:
All the platform users are visibles without being identified
https://*domain*/directory_items.json?period=daily&order=posts_read

User details:
We can get all the user details without being identified
https://*domain*/users/*user*.json

Is there a way to limit this situation or the level of user details accesible publicly?
I know if I only allow login users, all this info is blocked.
How can I keep some public info but:

  • Limiting the posibility of getting USERs LISTING (all the database)
2 Likes

After the above commit, checking the “Hide my public profile and presences features” option on Preferences → Interface does block the individual user RSS & JSON routes.

image

You can also uncheck the enable user directory site setting :arrow_down:

Does that help?

7 Likes

Very fast answer. Thanks @rishabh.
I just would like you elaborate on the first point because I am not a RSS / JSON expert:

  • I understand I just have to rebuild to apply this fix?
  • what does it mean to “block the individual user RSS & JSON routes”?

And some added questions.

  • Is there an option to
    check by default the “Hide my public profile and presences features”?
  • If I disable directory it is disabled even for administrators. I think should be a way to limit User directory access with more granularity (administrators, and moderators should be able to have always access I think)
  • I have checked “hide user profiles form public”. But Anonymous till receive a list of users, limited list but till a list. Should be an option to block all ANONYMOUS users to personal info and listing. (may this be part of what I am missing in your fix?)
2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.