I agree with this. Staff shouldn’t see emails unless they explicitly click to expand the email (e.g. they need to see it for some reason) and this action should be logged in Admin / Logs / Staff.
There is actually no reason why email address should be visible/readable to staff at all, at least not by default.
Beside the masking of the email. make a configuration “email visible to staff” and turn it off by default.
This information(email address) in most cases does not have any operational value for individuals on this type of system even to a trusted staff. having a staff contacting a user by email not via the system, will probably require TOC change as well. more headache for site operators.
To a certain extant having this information “out there” create potential legal complexity and increase the risk of data privacy violations and security risks.
Imaging if a staff account get compromised it can potentially allow an attacker to harvest the entire user base email address.
We have the opposite problem here. We really need email addresses available to moderators and admins for a variety of reasons (looking up accounts in our other systems). If you take this away please, please leave a config option to turn it back on.
It is in the Admin Area… so it isn’t going away, it simply is staying in a Admin area place where it belongs. Moderators can currently see it there today.
Or if you really want it on there, just visible by a click, is it as simple as altering the <dd> to receive a click event that replaces its current text with the email address?
That’ll only obscure the email address. You need to remove the address from the serialized JSON of each user model and create a new route that emits just the email address and logs the action. And of course have a frontend that uses this.