Feature #38853
open
do not disclose login account names (public projects disclose some user info)
0%
Description
As did not get any reaction, I think it is worth submitting a ticket:
Following the discussion:
We recently observed the fact that Redmine (at least until Remdmine 4.2) has the somewhat doubtable default setting that role 2 (anonymous) has the right to see all users and not only members of visible projects. I would say the latter would be a better default.
Furthermore, when there are public projects, all members of these projects are still visible to the public, together with their (login) account name, which is, in case of directory integration, their user name.
This clearly is an information that should not go to the public.
So I would suggest to
- not disclose redmine login account names to the public, even in public projects (this could probably be reached by adding a nick for public display)
- provide an option to add noindex directives to search bots for user and group information
Kind regards, Tom
Environment:
Redmine version 5.0.5.stable
Ruby version 2.7.5-p203 (2021-11-24) [x86_64-linux-gnu]
Rails version 6.1.7.2
Environment production
Database adapter PostgreSQL
Mailer queue ActiveJob::QueueAdapters::AsyncAdapter
Mailer delivery smtp
Redmine settings:
Redmine theme Default
SCM:
Subversion 1.13.0
Mercurial 5.3.1
Cvs 1.12.13
Bazaar 3.0.2
Git 2.39.2
Filesystem
Redmine plugins:
no plugin installed
Files
Updated by 
Updated by