This issue was reported to the Security Team and is being moved to the public issue queue due to https://www.drupal.org/node/1004778

The autocomplete callback provided at example.com/login_one_time_autocomplete_users lists usernames.

You can see this by:
1. Enabling the module
2. Assign at least one role the permission "use link to login one time"
3. Use a user with "access content" permission and open example.com/login_one_time_autocomplete_users

Recommend changing the access permission to something like "access user profiles"

CommentFileSizeAuthor
#2 login_one_time-autocomplete_access_callback-2499045-2.patch678 bytesHuntelaer
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

cashwilliams’s picture

cashwilliams CreditAttribution: cashwilliams commented
Issue summary: View changes
Huntelaer’s picture

Huntelaer CreditAttribution: Huntelaer commented
FileSize
login_one_time-autocomplete_access_callback-2499045-2.patch678 bytes

For those who don't want to have their usernames and ids publicly accessible: Changed access callback to 'access user profiles' as suggested by cashwilliams.

joelpittet’s picture

joelpittet
Primary language English
Location Vancouver
CreditAttribution: joelpittet at The University of British Columbia commented
Status: Active » Reviewed & tested by the community

Seems very reasonable, thanks for the patch and issue.

bapi_22’s picture

bapi_22 CreditAttribution: bapi_22 at Globant commented

I was not active for couple of months. Let me check.

  • 0646033 committed on 7.x-2.x 
    Issue #2499045 by huntelaer,bapi_22,joelpittet : Autocomplete callback...
bapi_22’s picture

bapi_22 CreditAttribution: bapi_22 at Globant commented
Status: Reviewed & tested by the community » Fixed

Hey Huntelaer + joelpittet,
Issue merged.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.