vpieterse/pinocchio

Should ability exist to get contact information of users outside of current team?

Opened this issue 7 years ago · 1 comments

devosray commented 7 years ago

Currently, it is easy to guess the user ID of other users (in UP's case, it's just their student number). By changing the URL "/accountDetails/uxxxxxxxx", you can get the contact details of users outside of your current team.

Is this correct? Seems like a privacy issue.

vpieterse commented 7 years ago

It should be impossible to access the page directly. The system should allow access to the page only if it was accessed via the legit route