Privacy Issue : Elgg.org

Privacy Issue

By happy gupta 3893 days ago

When i go to my inbox (message plugin) the link is someting like
http://www.mydomain.com/messages/inbox/myuserid

when i replace "myuserid" with my "otheruserid" i.e.,
http://www.mydomain.com/messages/inbox/otheruserid

I am able to see his inbox and every other stuff....

Please tell me a way to fix it... i m using elgg 1.8.8...!!!

- Matt Beckett@Beck24
Matt Beckett 3893 days ago
- 0 likes
You're an administrator - you can see other peoples stuff. Try it as a non-admin, you won't be able to see any messages - no privacy issue.
- happy gupta@bornrockstar123
happy gupta 3892 days ago
- 0 likes
yes i created a demo user who is not an admin... that profile can also see the messages...
- Matt Beckett@Beck24
Matt Beckett 3892 days ago
- 0 likes
Then there's something wrong with your installation, or more likely, you're using a plugin that's failing the security. I tested it after you posted, and on a default installation a non-admin cannot see another users messages.
- happy gupta@bornrockstar123
happy gupta 3892 days ago
- 0 likes
ok ok got it... Admin can see the message but a non-admin will see it with "NO MESSAGE"
its ok... :)
- iionly@iionly
iionly 3892 days ago
- 0 likes
http://trac.elgg.org/ticket/4879
- Matt Beckett@Beck24
Matt Beckett 3892 days ago
- 0 likes
Yes, it's definitely a UI bug. Just not a privacy issue :)