Privacy - Email of deleted users displayed in staff logs


(Joshua Rosenfeld) #1

Summary:

When a Discourse account is deleted (by user or system) the email of the account is displayed in the logs. In all other cases emails are hidden and a log is made when they are viewed.

Steps to reproduce:

  1. Create a user account.
  2. Don’t activate it for 24 hours
    OR
    Delete your new account.

Expected Results:

Account detention is logged in staff logs. Email address is not visible.

Actual Results:

Account detention is logged in staff logs. Email address is visible.

Notes:

Seems odd to me that in every other context logs are made when emails are viewed, but here the email address is visible without any logging.

Attachments:

Version:

Discourse 1.5.0.beta10 (discourse.stonehearth.net)

System Information:

Windows 10 Pro, Chrome Stable 48


Log more admin actions