Opened 6 years ago
Last modified 6 years ago
#7816 new defect (bug)
Search retrieves users with field visibility adminsonly for non-admins
Reported by: | gheebuttersnaps | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Contributions | Priority: | normal |
Severity: | normal | Version: | |
Component: | Core | Keywords: | |
Cc: |
Description
The search function appears to behave not as expected.
Members are able to hide certain information from other members. For example one member can set their profile field current location to “adminsonly”. Let’s assume this example. We have user Thomas in city Berlin and user Peter in city Munich. Thomas decides to hide his location from other members and sets the field visibility to adminsonly. Now Peter views Thomas’ profile and is not able to see his location. So far everything works as expected. Now Peter uses the search function and uses the keyword “Berlin”. The result set contains Thomas (without displaying any information about the city) although Peter should not be able to know the city.
Expected behaviour: The search function should only searche fields which are available/visible to the user conducting the search.
This enhancement might also be relevant regarding GDPR.
Are you searching as an admin user?