Staff should not see user profile email addresses without a click

Continuing the discussion from Last post versus seen timestamps:

I agree with this. Staff shouldn’t see emails unless they explicitly click to expand the email (e.g. they need to see it for some reason) and this action should be logged in Admin / Logs / Staff.

Would happily accept a community PR in this area.


There is actually no reason why email address should be visible/readable to staff at all, at least not by default.

Beside the masking of the email. make a configuration “email visible to staff” and turn it off by default.

This information(email address) in most cases does not have any operational value for individuals on this type of system even to a trusted staff. having a staff contacting a user by email not via the system, will probably require TOC change as well. more headache for site operators.

To a certain extant having this information “out there” create potential legal complexity and increase the risk of data privacy violations and security risks.

Imaging if a staff account get compromised it can potentially allow an attacker to harvest the entire user base email address.

Do we really need it on the public profile page to begin with? You can always get to it in the Users Admin area.


Only extremely rarely have I ever had to email a forum member.

I have always sent a PM first, and only if they don’t respond in a reasonable amount of time have I then emailed them.

IMHO as long as it can be found somewhere for the rare instance it doesn’t need to be elsewhere.

The e-mail address can be useful in identifying multiple accounts, but I agree, it shouldn’t be on the public profile.

I like this request for a pull request so much that I had to like it twice.

No fair, my extra like was revoked. I demand reparations!

1 Like

We have the opposite problem here. We really need email addresses available to moderators and admins for a variety of reasons (looking up accounts in our other systems). If you take this away please, please leave a config option to turn it back on.

It is in the Admin Area… so it isn’t going away, it simply is staying in a Admin area place where it belongs. Moderators can currently see it there today.

Okay, so is this change as simple as removing the following from user.js.handlebars? ping @sam

              {{#if email}}
                <dt>{{i18n}}</dt><dd {{bind-attr title="email"}}>{{email}}</dd>

Or if you really want it on there, just visible by a click, is it as simple as altering the <dd> to receive a click event that replaces its current text with the email address?

That’s several more clicks in order to get that information… we really need this to stay in the profile.

That’ll only obscure the email address. You need to remove the address from the serialized JSON of each user model and create a new route that emits just the email address and logs the action. And of course have a frontend that uses this.

I think this is now complete.