Project

General

Profile

Actions

Feature #38853

closed

Changes user visibility from "all" to "member of visible projects" for new roles and existing builtin roles

Added by Thomas Meyer over 1 year ago. Updated about 2 months ago.

Status:
Closed
Priority:
Normal
Category:
Accounts / authentication
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

As public project without public access to user info - do no... did not get any reaction, I think it is worth submitting a ticket:

Following the How to prohibit public access to user info discussion:

We recently observed the fact that Redmine (at least until Remdmine 4.2) has the somewhat doubtable default setting that role 2 (anonymous) has the right to see all users and not only members of visible projects. I would say the latter would be a better default.

Furthermore, when there are public projects, all members of these projects are still visible to the public, together with their (login) account name, which is, in case of directory integration, their user name.

This clearly is an information that should not go to the public.

So I would suggest to

  • not disclose redmine login account names to the public, even in public projects (this could probably be reached by adding a nick for public display)
  • provide an option to add noindex directives to search bots for user and group information

Kind regards, Tom

Environment:
Redmine version 5.0.5.stable
Ruby version 2.7.5-p203 (2021-11-24) [x86_64-linux-gnu]
Rails version 6.1.7.2
Environment production
Database adapter PostgreSQL
Mailer queue ActiveJob::QueueAdapters::AsyncAdapter
Mailer delivery smtp
Redmine settings:
Redmine theme Default
SCM:
Subversion 1.13.0
Mercurial 5.3.1
Cvs 1.12.13
Bazaar 3.0.2
Git 2.39.2
Filesystem
Redmine plugins:
no plugin installed


Files

Actions

Also available in: Atom PDF