User email is not hidden under Single Sign On area of admin page

Karl_Romanowski · August 12, 2020, 5:58pm

When viewing a User on the admin/users page the Primary Email and Secondary Email fields are hidden, and require permissions to view:

But the same email is shown unprotected when using SSO further down the page:

Expected: SSO Email is protected like the Primary and Secondary emails.

Actual: SSO Email is not protected, and visible to moderators even when site settings forbid showing emails to moderators.

One more comment, I mentioned email but really even the External ID can be sensitive info too.

simon · August 12, 2020, 11:52pm

I’m not sure if this qualifies as a bug, but it’s definitely an issue that needs to be addressed.

techAPJ · November 10, 2020, 7:13pm

Fixed via:

techAPJ · February 17, 2021, 4:45pm

@anon60302432 brought into our notice that SSO payload includes email as well so we’ve hidden the payload behind a button click as well, via:

Topic		Replies	Views
Moderators should not see emails in SSO section UX	12	1631	November 12, 2020
SSO payload can be seen be moderators again? Support	9	1042	February 15, 2021
Can no longer view users emails as a moderator Support	6	1140	July 28, 2018
Email security/obscurity for moderators is inconsistent Bug	15	2919	September 29, 2015
Moderator email viewing rights changed? Support	26	2097	March 18, 2019