HI
We are using the view and edit profile functionality from Geometrix on our site.
One user who is logged in can click on "my profile" link which generates following URL:
http://<my server:4503>/home/users/a/user1/profile.form.html/content/en-US/account/viewprofile
User gets to view his profile
now if in the same user login session user edits the URL in the browser to
http://<my server:4503>/home/users/a/user2/profile.form.html/content/en-US/account/viewprofile
He can still view another users profile information.
Which should not be the case, How do we prevent this.
Also in the first place the URL with user node should not be visisble to end user, can we do any mapping to hide this(may be on webserver level). any help on is greatly welcome.
Thanks in advance.
Regards,
Solved! Go to Solution.
Views
Replies
Total Likes
Yeah. This is an issue with AEM out of the box user related components. As you said,
In order to fix it, we may require to do the customization in existing components. If you
--
Views
Replies
Total Likes
Yeah. This is an issue with AEM out of the box user related components. As you said,
In order to fix it, we may require to do the customization in existing components. If you
--
Views
Replies
Total Likes
In 6.1 this problem may not be there as in 6.1 instead of user Ids random strings are used for the name of the profile nodes. This change was done in 6.1 for performance and scalability reasons. So, in the profile page URL instead of the user name you will see a random profile id in 6.1, which is difficult to guess. Check this page - http://labs.6dglobal.com/blog/2015-06-03/changing-user-passwords-aem-61-curl/
For fool proof solution or if you are on 5.6.1 version then I guess you can extend the profile component and add a simple check in the component code to throw an error if the user Id passed in the URL does not match with the userId of the current session. You can get the userId by calling the https://docs.adobe.com/docs/en/cq/5-6-1/javadoc/index.html?com/adobe/granite/security/user/UserPrope... getAuthorizableID() API method.
Views
Replies
Total Likes
FYI - since labs.6dglobal.com is down, here's a link to the post about changing password via curl on my personal blog: https://www.danklco.com/posts/2015/06/03/changing-user-passwords-aem-61-curl/
Views
Replies
Total Likes
Views
Likes
Replies