Prevent access to users' data via simple URL edition

Julius · November 6, 2023, 3:10pm

Hi.

We made all projects private in our GitLab installation. But I discovered that it is possible to see a set of meaningful data about a user just by appending his login name to the URL of the GitLab installation. No need to log in: it is visible to the whole world. For instance, if our GitLab URL is https://our.gitlab.com, it is enough to go to https://our.gitlab.com/userloginname to be presented with information about the user userloginname.

How to prevent this?

Thanks.

iwalker · November 6, 2023, 7:18pm

Hi,

Go to Admin → Settings → General → Visibility and access controls

Then set it like below for this particular option:

Julius · November 7, 2023, 3:23pm

It works: thanks!