Visiting a user's page gives unauthorised, but breadcrumb shows full name
Bug #493919 reported by
Matt Giuca
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
IVLE |
Fix Released
|
Low
|
Matt Giuca |
Bug Description
Is this an information disclosure problem? We aren't authorised to view the object, but this piece of information is shown anyway.
Related branches
security vulnerability: | no → yes |
Changed in ivle: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
From a discussion with dcoles earlier, I think we figured that this is not a bug we need to solve. The disclosure is minor, (just shows the user's nickname if you know their login). This is no worse than `finger`. I am marking this as In Progress as I'm going to investigate how easy it is to actually fix the bug, if desired. But we may end up just marking as Wont Fix.