Closed
Bug 935871
Opened 11 years ago
Closed 11 years ago
Don't show email address without logged in
Categories
(bugzilla.mozilla.org :: Extensions, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: m_kato, Assigned: glob)
Details
When opening bug entry (ex. https://bugzilla.mozilla.org/show_bug.cgi?id=800000) without log in, web page doesn't show email address of Reporter/CC/etc.
But opening profile page (ex. https://bugzilla.mozilla.org/user_profile?login=m_kato%40ga2.so-net.ne.jp) shows email address even if not logged in.
We should not show email address on profile page if not logged in for privacy reason and email address crawler.
true, however the only way to see that email address is to provide it in the query string, which means it's already known.
i guess it's possible to use the user-profile page to check for valid bugzilla email addresses however.
Reporter | ||
Comment 3•11 years ago
|
||
(In reply to Byron Jones ‹:glob› from comment #1)
> true, however the only way to see that email address is to provide it in the
> query string, which means it's already known.
>
> i guess it's possible to use the user-profile page to check for valid
> bugzilla email addresses however.
ah, but should we disallow query by email without logged in?
Comment 4•11 years ago
|
||
(In reply to Makoto Kato (:m_kato) from comment #3)
> (In reply to Byron Jones ‹:glob› from comment #1)
> > true, however the only way to see that email address is to provide it in the
> > query string, which means it's already known.
> >
> > i guess it's possible to use the user-profile page to check for valid
> > bugzilla email addresses however.
>
> ah, but should we disallow query by email without logged in?
Byron is right. Unless we just outright block the page if a user is not logged in, I don't see how blocking just the query form field is useful. Someone would just do the same exact thing by using https://bugzilla.mozilla.org/user_profile?login=foo@bar.com or any variant of that til they get a valid match.
I propose we require login for the user_profile page as a whole since when a user is logged out, the drop down menu listing 'Profile' for a user name in show_bug.cgi does not even appear when logged out.
glob, thoughts? I can do a patch if you are fine with this.
dkl
Updated•11 years ago
|
Flags: needinfo?(glob)
(In reply to David Lawrence [:dkl] from comment #4)
> I propose we require login for the user_profile page as a whole since when a
> user is logged out, the drop down menu listing 'Profile' for a user name in
> show_bug.cgi does not even appear when logged out.
i don't think requiring authentication to view a profile is the right thing to do here -- and even if you aren't logged in clicking on a gravatar icon takes you to the profile. i really like the visibility the profile provides to all members of the community and it would be a shame to lose it.
i think the best solution is to:
- anonymous access
- construct urls from user-id instead of email
- don't show the email address on the profile page
- require login if provided an email address instead of a user-id
- authenticated access
- nothing changes from the current design
- use email address in urls
- show the email address on the profile page
i'll work on a patch for this.
Flags: needinfo?(glob)
Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.2/
modified extensions/Gravatar/template/en/default/hook/bug/comments-user-image.html.tmpl
modified extensions/UserProfile/Extension.pm
modified extensions/UserProfile/template/en/default/pages/user_profile.html.tmpl
Committed revision 9142.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•5 years ago
|
Component: Extensions: UserProfile → Extensions
You need to log in
before you can comment on or make changes to this bug.
Description
•