Imported From: http://groups.google.com/group/in-portal-dev/browse_thread/thread/cce90509f2db4a7a#
Hello,
I'm testing user account links, and we have in default theme the following
link to see how our profile appears:
advanced/platform/my_account/public_profile.html?user_id=170
This link is at the bottom of
"advanced/platform/my_account/my_preferences.html" page.
The problem is everybody can change the user_id and surf trough all user's
DB.
What do you think about moving the user ID retrieval to
platform/my_account/public_profile, and remove this "post" ID function?
Of course theme developpers can change the way it's working, but we should
avoid any security hole in our standard distro, not to be seen as a "weak
security product" if users need to patch semthelves the system.
Phil.