User ID and Group ID of users can be enumerated

[sei-vsarvepalli]

A logged in user can enumerate the current users in VINCE using user_id and group_id integers for

VINCE/vinny/urls.py

Lines 129 to 131 in 142d39a

	re_path('profile/user_card/(?P<id>[0-9]+)?/$', views.UserCardView.as_view(), name='usercard'),
	re_path('profile/group_card/(?P<id>[0-9]+)?/$', views.GroupCardView.as_view(), name='groupcard'),
	re_path('profile/group_card/(?P<id>[0-9]+)?/(?P<case>[0-9]+)?/$', views.GroupCardView.as_view(), name='groupcardcase'),

While this is only possible for all logged in users, it is predictable and can be used to harvest information from VINCE as an authorized user. This issue was reported by @sharonb as a privacy concern for current VINCE users.

[sei-vsarvepalli]

Resolved by #52 thanks to @sharonb for reporting this via VINCE.