On 24/08/06, Steve Bennett <stevage(a)gmail.com> wrote:
Ok, brainstorming, I guess someone could constantly
attempt to
pageview a page that required administrative privileges (like
unblocking themselves), and hope by sheer chance that an admin ended
up getting their pageview? Interestingly there aren't really any
privacy implications that I'm aware of, as there are almost no pages
for which *read* access is restricted to certain users.
Depending upon your point of view, being able to nip into someone
else's preferences and read their email address might be considered an
exposure of private data.
Even if the problem *was* that other user's page views were being
served up (as far as I'm aware, it's a credentials problem, right?)
then the token mechanism we have in place should protect against that,
theoretically.
Rob Church