URI /User/namexxx readable for everybody
-
Hi,
in my installation even users that are not logged in can access any userprofile under /user/username with all personal details which is really bad. I managed to restrict access to logged in users, but logged in users still can access other persons profiles, if they know their name, although i unchecked the box in the users role for editing other profiles.
Since this behaviour is absolutely not in agreement with GDPR, i need to change this urgently.
please advice how i make the user profile pages only accessible for admins and the loggedin user itself.
thanx in advance
ThomadThe page I need help with: [log in to see the link]
-
You can try to unclick this option:
UM User Roles -> Edit the Registration default Role -> Profile Access -> “Can view other member profiles?”
hi, thanx for the quick reply. the option you suggest is already off.
what makes me wonder if somethings broke here. as i wrote, even users not logged in are able to view the profiles, which shouldn’t be the case under any circumstances and there should be no need to explicitly restrict access.
br
thomasDo you have any caching server side ?
not that i know off. its sinply a webspace hosted by pixelx and i just installed wordpress and a couple of plugins.
Ask the web hosting support if they have any page caching active.
Turn off caching for the UM pages.https://docs.ultimatemember.com/article/1595-caching-problems
I will contact support and come back to you as soon i got news.
thank you very much in the meantimeYou can also try to clear your browser cache.
Hi,
It can’t be the Browser Cache, because I tried with 3 different Browsers and also used completely different Profiles that were still accessible.I just checked on my site and can confirm this.
No caching. Was able to access full profile of a user without logging in!! :O
Even in the Settings > Appearance > Profile Menu section when visibility of the Acout page is set to “Only the owner”, anyone can view the about tab.
Only way to hide it was to disable the About tab, but then even the owner cannot see their account details.
Can you post here in the Forum your UM Settings -> Install info
Sorry, can’t post in public. Any way I can send it to you?
You can remove your domain and paths from the listing.
### Begin Install Info ### ## Please include this information when posting support requests ## --- Site Info --- Site URL: https://www.website.com Home URL: https://www.website.com Multisite: No --- Hosting Provider --- Host: DBH: 192.168.0.0, SRV: www.website.com --- User Browser --- Platform: Windows Browser Name: Chrome Browser Version: 105.0.0.0 User Agent String: Mozilla/5.0 (Windows NT 10.0; Wi n64; x64) AppleWebKit/537.36 (KH TML, like Gecko) Chrome/105.0.0. 0 Safari/537.36 ---- Current User Details -- Role: administrator --- WordPress Configurations --- Version: 6.0.2 Language: en_US Permalink Structure: /%year%/%postname%/ Active Theme: My Listing 2.7.3 Page On Front: Home (#126) Page For Posts: (#0) ABSPATH: /wordpress/ All Posts/Pages: 5 WP Remote Post: wp_remote_post() works WP_DEBUG: Disabled WP Table Prefix: Length: 3, Status: Acceptable Memory Limit: 128MB --- UM Configurations --- Version: 2.5.0 Upgraded From: 2.5.0 Current URL Method: Cache User Profile: Yes Generate Slugs on Directories: Yes Force UTF-8 Encoding: No JS/CSS Compression: No Port Forwarding in URL: No Exclude CSS/JS on Home: No --- UM Pages Configuration --- User: https://www.website.com/profile/ Account: https://www.website.com/my-account/ Members: https://www.website.com/members-2/ Register: https://www.website.com/register/ Login: https://www.website.com/login/ Logout: https://www.website.com/logout/ Password Reset: https://www.website.com/password-reset/ --- UM Users Configuration --- Default New User Role: 0 Profile Permalink Base: name User Display Name: first_name Force Name to Uppercase: No Redirect author to profile: Yes Enable Members Directory: Yes Use Gravatars: No Require a strong password: On --- UM Access Configuration --- Panic Key: Global Site Access: Site accessible to Everyone Backend Login Screen for Guests: No Redirect to alternative login page: Backend Register Screen for Guests: No Redirect to alternative register page: Access Control widget for Admins only: No Enable the Reset Password Limit: Yes Reset Password Limit: 3Disable Reset Password Limit for Admins: No Blacklist Words: 6 --- UM Email Configurations --- Mail appears from: WEBSITE NAME Mail appears from address: [email protected] Use HTML for E-mails: Yes Account Welcome Email: Yes Account Activation Email: No Pending Review Email: No Account Approved Email: No Account Rejected Email: No Account Deactivated Email: Yes Account Deleted Email: Yes Password Reset Email: Yes Password Changed Email: Yes --- UM Total Users --- All Users(3) administrator(2) um_trade-partner(1) none(0) --- UM Roles --- Administrator (administrator) Editor (editor) Author (author) Contributor (contributor) Subscriber (subscriber) Customer (customer) Shop manager (shop_manager) Trade Partner (um_trade-partner) Card Holder (um_card-holder) --- UM Custom Templates --- N/A --- UM Email HTML Templates --- N/A --- Web Server Configurations --- PHP Version: 7.4.30 MySQL Version: 5.7.38 Web Server Info: Flywheel/5.1.0 --- PHP Configurations --- PHP Memory Limit: 128M PHP Upload Max Size: 300M PHP Post Max Size: 300M PHP Upload Max Filesize: 300M PHP Time Limit: 178 PHP Max Input Vars: 10000 PHP Arg Separator: & PHP Allow URL File Open: Yes --- Web Server Extensions/Modules --- DISPLAY ERRORS: N/A FSOCKOPEN: Your server supports fsockopen. cURL: Your server supports cURL. SOAP Client: Your server has the SOAP Client enabled. SUHOSIN: Your server does not have SUHOSIN installed. GD Library: PHP GD library is installed on your web server. Mail: PHP mail function exist on your web server. Exif: PHP Exif library is installed on your web server. --- Session Configurations --- Session: Disabled Session Name: PHPSESSID Cookie Path: / Save Path: /tmp Use Cookies: On Use Only Cookies: On --- WordPress Active Plugins --- Code Snippets: 3.2.0 Elementor: 3.7.4 Elementor Header & Footer Builder: 1.6.13 Essential Addons for Elementor: 5.2.4 Ultimate Member: 2.5.0 UpdraftPlus - Backup/Restore: 1.22.21 User Menus: 1.2.9 Weather Station: 3.8.11 Wordfence Security: 7.6.1 WPForms: 1.7.5.4 WP Mail SMTP: 3.5.2 ### End Install Info ###Hi,
here are our infos### Begin Install Info ### ## Please include this information when posting support requests ## --- Site Info --- Site URL: https://mydomain.com Home URL: https://mydomain.com Multisite: No --- Hosting Provider --- Host: DBH: localhost:3306, SRV: mydomain.com --- User Browser --- Platform: Android Browser Name: Firefox Browser Version: 104.0 User Agent String: Mozilla/5.0 (Android 12; Mobile; rv:104.0) Gecko/104.0 Firefox/1 04.0 ---- Current User Details -- Role: administrator --- WordPress Configurations --- Version: 6.0.2 Language: de_DE Permalink Structure: /%postname%/ Active Theme: Blocksy 1.8.46 Page On Front: Home (#678) Page For Posts: News (#283) ABSPATH: /var/www/vhosts/mydomain.com/httpdocs/ All Posts/Pages: 4 WP Remote Post: wp_remote_post() works WP_DEBUG: Disabled WP Table Prefix: Length: 10, Status: Acceptable Memory Limit: 40MB --- UM Configurations --- Version: 2.5.0 Upgraded From: 2.5.0 Current URL Method: Cache User Profile: Yes Generate Slugs on Directories: Yes Force UTF-8 Encoding: No JS/CSS Compression: No Port Forwarding in URL: No Exclude CSS/JS on Home: No --- UM Pages Configuration --- User: https://mydomain.com/user/ Account: https://mydomain.com/account/ Members: https://mydomain.com/members/ Register: https://mydomain.com/mitgliedschaftsantrag/ Login: https://mydomain.com/login/ Logout: https://mydomain.com/logout/ Password Reset: https://mydomain.com/password-reset/ --- UM Users Configuration --- Default New User Role: subscriber Profile Permalink Base: user_login User Display Name: full_name Force Name to Uppercase: No Redirect author to profile: Yes Enable Members Directory: No Use Gravatars: Yes Gravatar builtin image: identicon UM Avatar as blank Gravatar: No Require a strong password: Off --- UM Access Configuration --- Panic Key: Global Site Access: Site accessible to Everyone Backend Login Screen for Guests: No Redirect to alternative login page: Backend Register Screen for Guests: No Redirect to alternative register page: Access Control widget for Admins only: No Enable the Reset Password Limit: Yes Reset Password Limit: 3Disable Reset Password Limit for Admins: No Blacklist Words: 5 --- UM Email Configurations --- Mail appears from: WAT Mail appears from address: [email protected] Use HTML for E-mails: Yes Account Welcome Email: Yes Account Activation Email: No Pending Review Email: No Account Approved Email: Yes Account Rejected Email: No Account Deactivated Email: No Account Deleted Email: No Password Reset Email: Yes Password Changed Email: Yes --- UM Total Users --- All Users(396) administrator(2) um_vortunerinnen(11) um_mitglied(378) um_vorstandsmitglied(5) none(0) --- UM Roles --- Administrator (administrator) Editor (editor) Author (author) Contributor (contributor) Subscriber (subscriber) VortunerInnen (um_vortunerinnen) Mitglied (um_mitglied) Vorstandsmitglied (um_vorstandsmitglied) --- UM Custom Templates --- N/A --- UM Email HTML Templates --- N/A --- Web Server Configurations --- PHP Version: 8.1.9 MySQL Version: 10.3.34 Web Server Info: Apache --- PHP Configurations --- PHP Memory Limit: 256M PHP Upload Max Size: 64M PHP Post Max Size: 64M PHP Upload Max Filesize: 64M PHP Time Limit: 60 PHP Max Input Vars: 30000 PHP Arg Separator: & PHP Allow URL File Open: Yes --- Web Server Extensions/Modules --- DISPLAY ERRORS: N/A FSOCKOPEN: Your server supports fsockopen. cURL: Your server supports cURL. SOAP Client: Your server has the SOAP Client enabled. SUHOSIN: Your server does not have SUHOSIN installed. GD Library: PHP GD library is installed on your web server. Mail: PHP mail function exist on your web server. Exif: PHP Exif library is installed on your web server. --- Session Configurations --- Session: Disabled Session Name: PHPSESSID Cookie Path: / Save Path: /var/www/vhosts/mydomain.com/tmp Use Cookies: On Use Only Cookies: On --- WordPress Active Plugins --- Blocksy Companion: 1.8.46 Code Snippets: 3.2.0 Duplicate Page: 4.4.9 EditorsKit: 1.33.9 Font Awesome: 4.3.1 Import Users: 1.3 Manage User Columns: 1.0.4 Map Block for Google Maps: 1.32 Stackable - Gutenberg Blocks: 3.4.5 Ultimate Member: 2.5.0 Ultimate Member - reCAPTCHA: 2.3.1 wpDataTables - Tables & Table Charts: 2.1.40 WPForms Lite: 1.7.6 WP Ultimate CSV Importer: 7.0 ### End Install Info ###further info from our webhoster: the installation is based on plesk which is not caching anything.
so also in our case no caching!!
- The topic ‘URI /User/namexxx readable for everybody’ is closed to new replies.
