/
User's Account Security

User's Account Security

Owned by Phil Banks
Last updated: Sep 13, 2015 by Alex

Imported From: http://groups.google.com/group/in-portal-dev/browse_thread/thread/cce90509f2db4a7a#

I'm testing user account links, and we have in default theme the following link to see how our profile appears: /advanced/platform/my_account/public_profile.html?user_id=170. This link is at the bottom of "advanced/platform/my_account/my_preferences.html" page. 

The problem is everybody can change the user_id and surf through all user's DB. What do you think about moving the user ID retrieval to platform/my_account/public_profile, and remove this "post" ID function?

Of course theme developers can change the way it's working, but we should avoid any security hole in our standard distro, not to be seen as a "weak security product" if users need to patch themselves the system.