Description
Similar to CWD-3465, it seems that not enforce profile ownership for viewing. That is, a non-admin user called Mallory can view Alice's profile information if Mallory obtains Alice's profileId number. For example, https://openid.atlassian.com/secure/profile/editprofiles.action?profileID=15240744 shows you my profile details.
Attachments
Issue Links
- relates to
-
CWD-3465 Crowd OpenID server does not enforce profile ownership for edits
- Closed