Privacy issue with direct links

When checking another user’s profile, you can see the summary, activity, invites and badges while preferences, messages and notifications are hidden.
If you enter the direct URL for preferences, something like, it will redirect to activity. An error is shown if you try the same thing for messages but notifications can be viewed with the URL. This includes a full list of the likes, responses and mentions I received and edits made to my posts.
If it is supposed to be private, why is it accessible and if it’s nothing important, why is it not accessible from the profile anyway?


Huh, you’re right about the notifications url. I liked it, placed in your name, then saw you got a notification about a like from me.

That’s pretty weird, though luckily it seems to be just notifs.


If it’s a hole, I guess it’s a software hole, not ours forum settings issue.
Though to confirm it, @wincenworks’s attention needed.
And if it’s not our forum issue, I think it needs be reported to Discourse developers


I can check it with another discourse forum to see if it’s fundamental or related to wincen’s setting.

If you’ll find one, you’ll do a favour

Found one.
It happens in discourse in general. So probably the devs should be called.