-
Bug
-
Resolution: Answered
-
Medium (View bug fix roadmap)
-
None
-
3.6.3
-
All
-
3.06
-
The login username of users is revealed all over the place (in URLs that link to user profile, or user's list of assigned open bugs etc).
This seems to be a big security risk, because you have given away half of the user identification to strangers.
Anybody can look up a user in the issue tracker and find out what username they have (possibly on an external system, LDAP or otherwise).
Instead, you should be using an internal userid for these links.
- relates to
-
JRASERVER-1549 Ability to rename a user
- Closed
publically available usernames are a security risk
-
-
Resolution: Answered
-
Medium
-
None
-
3.6.3
-
All
-
3.06
-
The login username of users is revealed all over the place (in URLs that link to user profile, or user's list of assigned open bugs etc).
This seems to be a big security risk, because you have given away half of the user identification to strangers.
Anybody can look up a user in the issue tracker and find out what username they have (possibly on an external system, LDAP or otherwise).
Instead, you should be using an internal userid for these links.
- relates to
-
- Closed
-
Unassigned
-
Martin Martin
- Votes:
-
4 Vote for this issue
- Watchers:
-
3 Start watching this issue
- Created:
- Updated:
- Resolved: