User email is not hidden under Single Sign On area of admin page

When viewing a User on the admin/users page the Primary Email and Secondary Email fields are hidden, and require permissions to view:

image

But the same email is shown unprotected when using SSO further down the page:

Expected: SSO Email is protected like the Primary and Secondary emails.

Actual: SSO Email is not protected, and visible to moderators even when site settings forbid showing emails to moderators.

One more comment, I mentioned email but really even the External ID can be sensitive info too.

2 Likes

I’m not sure if this qualifies as a bug, but it’s definitely an issue that needs to be addressed.

3 Likes

Fixed via:

5 Likes

@Callahan brought into our notice that SSO payload includes email as well so we’ve hidden the payload behind a button click as well, via:

3 Likes