# Massive security problem!

Please fill out these questions for all feature requests and bug reports. If you're requesting a feature, please let us know why this feature is important or useful, not just what it should do.
Thanks!

1. What browsers show this problem? serverside/all
2. Please share an example project (if possible).
3. Describes the steps to reproduce this issue. snap.berkeley.edu/users/(username)
4. What does Snap! currently do? Reveal user information that should not be public.
{"created:"(date)","id":(number),"role":"(role)","email":"(user@domain.tld)","username":"(username)","verified":(true/false)}
5. What should Snap! do instead? respond with a big fat HTTP 403

Whoa! Right you are, we shouldn't be leaking email addresses. Thanks for reporting it!

@bromagosa, this one's for you.

Hmmm... Are you sure? Did you try with a different user than yourself? (Not you, @bh, you're an admin)

I've just tried it. It does leak any user's information.
EDIT: I've also searched archive.org, but they don't have any record, so that's OK.

Okay, I'm totally overworked right now and can't spend a minute on anything else

Can @cycomachead take a look maybe?

As am I.

I’ll see what I can do. I don’t have a good idea of everywhere this is used.

Also, for security issues PLEASE do not report things publicly.

I am double booked

I support this suggestion. It sounds like a good idea.

Found and fixed. It was a stupid operator precedence error that was affecting not just this one user permission assertion...

Thanks for reporting!

p.s. As @cycomachead suggested, in the future please use contact@snap.berkeley.edu to report security issues.

I forgot to say, this kind of error could have never happened in a blocks-based language!

Bless you!

By the way, I didn't try this on anyone other than another account I had.