This issue was reported to the Security Team and is being moved to the public issue queue due to https://www.drupal.org/node/1004778
The autocomplete callback provided at example.com/login_one_time_autocomplete_users lists usernames.
You can see this by:
1. Enabling the module
2. Assign at least one role the permission "use link to login one time"
3. Use a user with "access content" permission and open example.com/login_one_time_autocomplete_users
Recommend changing the access permission to something like "access user profiles"
Comment | File | Size | Author |
---|---|---|---|
#2 | login_one_time-autocomplete_access_callback-2499045-2.patch | 678 bytes | Huntelaer |
Comments
Comment #1
cashwilliams CreditAttribution: cashwilliams commentedComment #2
Huntelaer CreditAttribution: Huntelaer commentedFor those who don't want to have their usernames and ids publicly accessible: Changed access callback to 'access user profiles' as suggested by cashwilliams.
Comment #3
joelpittetSeems very reasonable, thanks for the patch and issue.
Comment #4
bapi_22 CreditAttribution: bapi_22 at Globant commentedI was not active for couple of months. Let me check.
Comment #6
bapi_22 CreditAttribution: bapi_22 at Globant commentedHey Huntelaer + joelpittet,
Issue merged.