Launchpad itself

Any user can set the Google Map Location for someone else

Bug #274029 reported by Matt Layman on 2008-09-24

This bug report is a duplicate of: Bug #262193: new location code allows anyone to set anyone else's location. Edit Remove

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	New	Undecided	Unassigned

Bug Description

I was looking at a user page and noticed that I could click their map and be taken to the map location page to set the user's location. I switched to staging.launchpad.net to test if I could actually set their location and not get a permission denied error. Unfortunately, launchpad allowed me to set that user's location. Launchpad also allowed me to edit the location after it had been set. I tested with a different user who already had his location set, and it allowed me to edit that too.

This seems like a privacy issue for users who don't want their location specified by someone else. Also, since this is part of someone's profile, it seems like someone else should not be allowed to edit or save a location at all.

I think that the link to set the location (accessible by clicking the map if the location is not set) and the "Set location and time zone" link (https://launchpad.net/~user/+editlocation) should not be available to all users, only to ~user.

Exact URLs:
This was the user that didn't have a set location:
https://launchpad.net/~ubuntu-marginal
This was the user that did have a set location:
https://launchpad.net/~rockstar

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #262193 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.