do not disclose login account names (public projects disclose some user info)
Asdid not get any reaction, I think it is worth submitting a ticket:
We recently observed the fact that Redmine (at least until Remdmine 4.2) has the somewhat doubtable default setting that role 2 (anonymous) has the right to see all users and not only members of visible projects. I would say the latter would be a better default.
Furthermore, when there are public projects, all members of these projects are still visible to the public, together with their (login) account name, which is, in case of directory integration, their user name.
This clearly is an information that should not go to the public.
So I would suggest to
- not disclose redmine login account names to the public, even in public projects (this could probably be reached by adding a nick for public display)
- provide an option to add noindex directives to search bots for user and group information
Kind regards, Tom
Redmine version 5.0.5.stable
Ruby version 2.7.5-p203 (2021-11-24) [x86_64-linux-gnu]
Rails version 22.214.171.124
Database adapter PostgreSQL
Mailer queue ActiveJob::QueueAdapters::AsyncAdapter
Mailer delivery smtp
Redmine theme Default
no plugin installed
No data to display