Our instance of Discourse uses SSO to allow users to sign in to our forum and we do not allow our users to change their email on the forum, this is all done on our main site.
With this being said, if an account is compromised and the compromiser decides to go onto our forum, they have full visibility of the user’s email address.
Could we have a feature that stars/censors out the user’s email address if enabled in settings but still allows admins to view emails?
Example:
try this in the settings enable_names
The admins can view email through user admin settings:
@InceptionTime, emails are only visible to admins, and the user themselves. You’re seeing the email in the screenshot as that’s your user. Try viewing a different user.
Yes that is what I mean, we want to censor the email for the logged in user
You don’t want a user to see their own email? They already know it…
I’m afraid I’m not following you here.
So our issue right now is that if an account is compromised on our main website and the hacker decides to go onto our forum and log into the account they have hacked, they are able to see the victims email.
However, on our main site we censor the email for security reasons.
We want the ability to be able to censor the logged in user’s email on our Discourse forum too.
You can hide the email via CSS, but someone could still view it via browser dev tools. To fully hide it you’re likely going to need to build a plugin.
That said, if your users are able to be compromised on your main site, I think you have bigger issues than their email being revealed.
We’ll look into building a plugin in that case
It’s a highly uncommon thing, but we had a “bug” report sent to us about this and wanted to send it in to see if anything could be done.
