Hello I have been reported some security flaws I would like to understand
All the platform users are visibles without being identified
We can get all the user details without being identified
Is there a way to limit this situation or the level of user details accesible publicly?
I know if I only allow login users, all this info is blocked.
How can I keep some public info but:
- Limiting the posibility of getting USERs LISTING (all the database)
After the above commit, checking the “Hide my public profile and presences features” option on Preferences → Interface does block the individual user RSS & JSON routes.
You can also uncheck the
enable user directory site setting
Does that help?
Very fast answer. Thanks @rishabh.
I just would like you elaborate on the first point because I am not a RSS / JSON expert:
- I understand I just have to rebuild to apply this fix?
- what does it mean to “block the individual user RSS & JSON routes”?
And some added questions.
- Is there an option to
check by default the “Hide my public profile and presences features”?
- If I disable directory it is disabled even for administrators. I think should be a way to limit User directory access with more granularity (administrators, and moderators should be able to have always access I think)
- I have checked “hide user profiles form public”. But Anonymous till receive a list of users, limited list but till a list. Should be an option to block all ANONYMOUS users to personal info and listing. (may this be part of what I am missing in your fix?)
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.