Adobe Experience Manager Sites & More

asn11 · 11/30/15

HI

We are using the view and edit profile functionality from Geometrix on our site.

One user who is logged in can click on "my profile" link which generates following URL:

http://<my server:4503>/home/users/a/user1/profile.form.html/content/en-US/account/viewprofile

User gets to view his profile

now if in the same user login session user edits the URL in the browser to

http://<my server:4503>/home/users/a/user2/profile.form.html/content/en-US/account/viewprofile

He can still view another users profile information.

Which should not be the case, How do we prevent this.

Also in the first place the URL with user node should not be visisble to end user, can we do any mapping to hide this(may be on webserver level). any help on is greatly welcome.

Thanks in advance.

Regards,

Jitendra_S_Toma · 11/30/15

Yeah. This is an issue with AEM out of the box user related components. As you said, user node information should not be visible to end user. However, in order to match a particular selector, AEM makes user node accessible to everyone. Image same case on the publish server. We have to read access to these nodes.

In order to fix it, we may require to do the customization in existing components. If you wanna try something, here are a few hints:

Do the sling mapping /home/users/ to "<some name - myprofile>". This way, you could hide some information not all. So new URL would be like this /myprofile/a/user1/.......
Use resourceResolver.resolve(..) API to resolve /myprofile/a/user1 path to the actual path (/home/users/).

--

jitendra

View solution in original post

Jitendra_S_Toma · 11/30/15

Yeah. This is an issue with AEM out of the box user related components. As you said, user node information should not be visible to end user. However, in order to match a particular selector, AEM makes user node accessible to everyone. Image same case on the publish server. We have to read access to these nodes.

In order to fix it, we may require to do the customization in existing components. If you wanna try something, here are a few hints:

Do the sling mapping /home/users/ to "<some name - myprofile>". This way, you could hide some information not all. So new URL would be like this /myprofile/a/user1/.......
Use resourceResolver.resolve(..) API to resolve /myprofile/a/user1 path to the actual path (/home/users/).

--

jitendra

Kunal_Gaba_ · 11/30/15

In 6.1 this problem may not be there as in 6.1 instead of user Ids random strings are used for the name of the profile nodes. This change was done in 6.1 for performance and scalability reasons. So, in the profile page URL instead of the user name you will see a random profile id in 6.1, which is difficult to guess. Check this page - http://labs.6dglobal.com/blog/2015-06-03/changing-user-passwords-aem-61-curl/

For fool proof solution or if you are on 5.6.1 version then I guess you can extend the profile component and add a simple check in the component code to throw an error if the user Id passed in the URL does not match with the userId of the current session. You can get the userId by calling the https://docs.adobe.com/docs/en/cq/5-6-1/javadoc/index.html?com/adobe/granite/security/user/UserPrope... getAuthorizableID() API method.

dan_klco · 2/22/18

FYI - since labs.6dglobal.com is down, here's a link to the post about changing password via curl on my personal blog: https://www.danklco.com/posts/2015/06/03/changing-user-passwords-aem-61-curl/

Adobe Experience Manager Sites & More

Geometrix view and edit profile URL problem

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe