Any users including non-logged in public can view map pages and therefore contact name and address info for any contact id

The mapping pages do not abide by any permissioning in Joomla. therefore mapping pages and contact information are publically available on all sites by using a standard url string and putting in any contact id.

Example url is:

http://joomla.demo.civicrm.org/index.php?option=com_civicrm&task=civicrm/profile/map&reset=1&pv=1&cid=2&gid=1

This is available even if the mapping is not enabled on the profile.

See forum topic:

http://forum.civicrm.org/index.php/topic,20965.0.html

Need to have some sort of field with the mapping choice on the profile to say 'public pages' or 'user & user admin' to show whether the mapping is viewable by non-users, also to check whether mapping is enabled for the profile or not.

Hope that is enough info!

Probably affects all previous versions too, not sure what priority this should have as there is no mention of data security in the level info - please feel free to change as you see fit.