On 24/08/06, Steve Bennett stevage@gmail.com wrote:
Ok, brainstorming, I guess someone could constantly attempt to pageview a page that required administrative privileges (like unblocking themselves), and hope by sheer chance that an admin ended up getting their pageview? Interestingly there aren't really any privacy implications that I'm aware of, as there are almost no pages for which *read* access is restricted to certain users.
Depending upon your point of view, being able to nip into someone else's preferences and read their email address might be considered an exposure of private data.
Even if the problem *was* that other user's page views were being served up (as far as I'm aware, it's a credentials problem, right?) then the token mechanism we have in place should protect against that, theoretically.
Rob Church