In order to avoid a username enumeration vulnerability on this, we should make sure that the message you see when trying to access a profile page you don't have access to, is the same as the message you see when trying to access a profile page that doesn't exist. This is especially true when clean urls are in place.
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_ %28OWASP-AT-002%29 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: In Progress Status in Mahara 1.5 series: In Progress Status in Mahara 1.6 series: In Progress Status in Mahara 1.7 series: New Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
