I have been getting lots of reports on my site of users visiting their 'my account' page and seeing another users' profile information.
I've tried this out myself by making a test user account. After logging in to the site I clicked in 'my account' and sure enough the url in the browser displayed users/[someone else's username] and their profile information was displayed.
I've looked in permissions and did have the 'view user profiles' option ticked for authenticated users. However, I disabled this and tried again. Drupal now tries to show me another users' profile but a 'forbidden' error page is displayed. Clicking on 'my account' for a second time seems to take me to my own profile page.
Please help / advise.
Comments
Comment #1
binarylime CreditAttribution: binarylime commentedIt looks as though the user account which is being displayed is the most recent user.
I just logged out as testuser1, logged in as testuser2, clicked on 'my account' and it tried to take me to testuser1's profile until a forbidden page was displayed. Clicking on my account again takes me to the correct place.
Comment #2
binarylime CreditAttribution: binarylime commentedThe problem only started after installing the mailchimp module to integrate with my mailchimp account.
Disabling the mailchimp module and clearing all caches in admin/performance seems to have fixed the problem.
To replicate - standard drupal 6 installation with mail chimp module. Create two 'authenticated' users. Login as one user, logout, login as second user and visit 'my account' page. URL in browser bar and profile information displayed is for wrong user.
I will temporarily re-enable the mail chimp module on my site and give you two 'authenticated' usernames / passwords if you would like to try it and think that would help.
Comment #3
binarylime CreditAttribution: binarylime commentedUpdate: this isn't fixed.
Mailchimp is uninstalled now but the problem still persists. It was fine for a while but then I turned Authcache back on for authenticated users and now the problem is back. Looks likes an Authcache issue rather that mail chimp.
Comment #4
binarylime CreditAttribution: binarylime commentedAny ideas with this? It's a pretty serious issue if users are seeing other users' personal information. Thanks.
Comment #5
Jonah Ellison CreditAttribution: Jonah Ellison commentedBy default user* pages are not cached. Did you change the settings to cache these pages?
What could be happening is that the "My Account" URL isn't being updated dynamically via JS. This needs to be done, otherwise the cached page will displays the link to the account that last viewed it and cached it. There's some code is authcache.js that is supposed to do this, but sometimes it doesn't work with certain themes.
Comment #6
vanderchris CreditAttribution: vanderchris commentedCould anyone figure out how to fix this issue? I am having more or less the same problem when authcache is enabled. When users view a rakeback (specific page for gamblers on my site) page they see other players rakeback info..
Turn authcache off and everything is back to normal. Anyone looking at this issue or is there a better alternative to use instead of Authcache?
Comment #7
simg CreditAttribution: simg commentedvanderchris: did you disable the caching of "rakeback" pages in the authcache settings page - you should.
I'm going to close this issue because it's so old, but you're welcome to re-open if you still have the problem,
Comment #8
vanderchris CreditAttribution: vanderchris commentedI know this is a very very late reply, but thanks simg. I did exactly that and it was exactly what I needed to do.