Anonymous users should not be able to view/access the Bitbucket user avatars

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Unresolved
    • None
    • Component/s: User Profiles
    • None
    • 2
    • 3

      Issue Summary

      This is reproducible on Data Center: (yes

      It appears anyone (those who don't even have a bitbucket account) can see a Bitbucket server user's avatar after setting feature.public.access to false. 

      Steps to Reproduce

      1. Start an incognito tab
      2. Access the following URL after replacing the <username> with an actual username
        • http(s)://<bitbucket_ base_url>/users/<username>/avatar.png?s=64&v=1

      Expected Results

      The URL should require authentication and the avatar should not be accessible

      Actual Results

      The user avatar preview comes up.

      Workaround

      Currently, there is no known workaround for this behaviour. A workaround will be added here when available

              Assignee:
              Unassigned
              Reporter:
              Tahir Bhat (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: