• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.5 How to prevent users to get access to all the users in the forum?

Right now any users can get access to the list of all the users that has ever registered to the the forum with simply changing the number next to the user name.
How can this be prevented?


Active member
If I got you right you want to disable the members list, well you can do that buy uncheck this option by going to ACP > Setup > Options > User options.
Users can still see all the users in the forum by changing the number next to the members/username.4/.
If you change the number to "3" it will display the user so basicly every user can see all the users that ever registered and spam them.
Yes but then users can not see profiles at all... Surely there is a more elegant way of making the forum database of users without this exploit?
I mean its either users can see all the users that ever registered or users cannot access users profile at all.
No other way to allow users to see users that post but not users that never post?
I mean I have 2 options now, either to not allow all the users to see other users and rendering my forum basically useless or allow every new users that register getting spammed on the second he registers.
when changing the number next to the user name it should NOT give users the user profile in that number! its a bug that seems to be in all the version of this forum.
Surely there is a fix for this simple exploit? it is such an expensive forum and it is completely useless because of the way it builds the users database.


Active member
How can this not be a bug?
Just copy this link and change the number and it will take your to the profile of the user in that number.
for example I change to your number (3084) and it will take me to your profile
This is an exploite that does not exist in other forums.
This is how XF deals with members URL's. And @Mike or @Chris D or @Kier can confirm this.

Chris D

XenForo developer
Staff member
This is an exploite that does not exist in other forums.
Actually, it's pretty much how every single forum software works, ever.





Everything in a web application needs an ID to identify it. Sometimes that ID is a number, other times it is a string (like Twitter).

If a user has a particular problem that their profile could be found in this way, or has other privacy concerns, they can just use the privacy settings on their profile.