Personal information leak when editing proposals

[olea]

Problem:

Proposal submitters has access to personal data of (probably?) all the OSEM registered users.

This is not acceptable and probably could be violating data privacy laws.

Verified in master branch at b971220

Expected behaviour:

3rd persons personal information should not be exposed to non-admin users.

Steps to reproduce:

1. register at OSEM
2. submits a proposal
3. go to edit your submited proposal at, say, http://localhost:9292/conferences/MyConf/program/proposals/2/edit
4. edit the Speakers field
5. field displays a list of another users to select your co-speakers
6. this list exposes information for any other registered users: name username and email.

Mitigation

You can do a quick fix with this patch:

diff --git a/app/views/proposals/_proposal_form.html.haml b/app/views/proposals/_proposal_form.html.haml
index 4b66240c..71bea2eb 100644
--- a/app/views/proposals/_proposal_form.html.haml
+++ b/app/views/proposals/_proposal_form.html.haml
@@ -4,7 +4,7 @@
 
     = f.input :subtitle, as: :string
 
-    = speaker_selector_input f
+    -# = speaker_selector_input f
 
     = track_selector_input f

At the cost of losing the feature of adding other speakers by the submitter.

[anmoliiitd823]

Can I go for it , by preserving the feature as well as ensuring privacy for the user details.As during signing up ,it is written that only username will be displayed to the other users but it is violated here . I would love to work on this one.

[olea]

Go For It!

[captn3m0]

Anyone working on this?

Right now, it is leaking names+email+usernames of all users registered on our OSEM installation.

[Ana06]

@captn3m0

Anyone working on this?

it doesn't seem so, all yours 😉

[Ana06]

I have just one concern, the name is public. It is shown in the user profile page that can be seen by everybody. Why do we want to hide it?

I would say the only thing we need to hide is the email. @differentreality what do you think?

[olea]

@Ana06:

There are several points here, at least:

• the page should not include «all» registered users in the html code, first bc privacy concerns and second bc if conference is big the size can get enormous and, in any case, suboptimal;
• I can't remember any application doing this ways, specially for filling a form, IMHO it will not look very professional to other web developers (you can count this as a pure æstetic decission or as a industry good practice, at your will);
• it can be easier just to let user add the email of their collaborators instead of displaying all system users, and if the user is not registered just send her an invitation email;
• particularly for the CFP process, if you want a blind proposal evaluation you should ensure nobody without admin permissions could get identity information about which users could be registered.

I have just one concern, the name is public. It is shown in the user profile page that can be seen by everybody. Why do we want to hide it?

Well: people names are public in Facebook too and these days everybody agrees is not fun to let anyone to collect them ;)

[AndrewKvalheim]

As of 2e21079:

• The field uses only usernames, not email addresses or display names.
• Only users matching entered text are returned; the list of all users is not embedded in the page.

#3122 suggests further improvements.

[hennevogel]

Let's close this then...