The ReferenceManager uses a cache to store information about previously accessed references. The used cachePrefix
in deck (see here) is independent of the user. If User1 has access to a deck card and the reference data is stored in the cache, any user with knowledge of the boardId/cardId can access the information of that deck card.
User “Admin”:
{F2025386}
User “Test”:
{F2025389}
I think the impact should be minimal, because multiple things need to happen to leak information (the reference needs to be cached, another user needs to know the url, etc.).
The GitHub-Integration uses the userId
as a cachePrefix, this so this shouldn’t be a issue in that case, see here.
I haven’t looked at other reference providers.