With the default User aliases enabled (users/[user:name]), any anonymous user can goto yoursite.com/user/1 and see User 1's username in the URL. This is a potential security nuisance because now a "hacker" has half the login credentials brute-force with.

Other than disabling User aliases, is there a way to only show them when a user is logged in?

Comments

kruser created an issue.