Tracker module allows any user to access /user/%uid/track pages by default.
That might be a potentially problem if content associated to user being tracked isn't in control or has the properly permissions, so sensitive content could be accesed easily in Track tab from a profile page.
Search engines show this link by default and allows access. A common SEO problem on Drupal sites is that search engines will index URL parameters that should not be indexed as /tracker or /user/*/track pages.
I attach this patch to limit theses access only for administrators and users who match with the tracking page being accessed (users are able to view their own Track activity).
I don't now if this is a valid approach, by anyway, thanks for your feedback.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
This extension is deprecated and scheduled for removal in Drupal 11.
This is now Postponed. The status is set according to two policies. The Remove a core extension and move it to a contributed project β and the Extensions approved for removal β policies.
It will be moved to the contributed extension β once the Drupal 11 branch is open.
