public project without public access to user info - do not disclose login account names
Added by Thomas Meyer 4 months ago
Following the How to prohibit public access to user info discussion:
We recently observed the fact that Redmine (at least until Remdmine 4.2) has the somewhat doubtable default setting that role 2 (anonymous) has the right to see all users and not only members of visible projects. I would say the latter would be a better default.
Furthermore, when there are public projects, all members of these projects are still visible to the public, together with their (login) account name, which is, in case of directory integration, their user name.
This clearly is an information that should not go to the public.
So I would suggest to
- not disclose redmine login account names to the public, even in public projects
- this could probably be reached by adding a nick for public display
- provide an option to add noindex directives to search bots for user and group information
Kind regards, Tom