Users full name are shown in preview even with "enable names" off

Is this a bug?

When doing a post or a new thread, just in an ordinary manner and pasting in a user profile URL like this:

http://www.FORUMURL.com/u/NICKNAME/summary

The users real name will show up in the preview pane to the right. Of course, this is a massive privacy breach for us and need to sorted out ASAP.

Any idea on why this is happning? The develop console shows this in the document:

<span class="full-name">XXX</span>

Any idea on what is happening or how to fix this?

Thank you.

3 Likes

When enable names is disabled, and users have supplied a full name, the full name shows up when links to the user’s profile are oneboxed. The setting’s description says “Disable to hide full name everywhere”, so this seems like a bug.

2 Likes

Thank you for your answer. To clarify: I have not checked that setting, and still the usernames are shown in the card. So, yes, this seems like an unpleasant bug.

@simon I need to push this further, as it’s a very bad privacy breach.
Are you saying that this is a bug which will be fixed anytime soon? Or, are you saying that the setting “enable names” need to be checked (in other words: the semantics are reversed) to fix this?

I will take a look at it

1 Like

Unless you’re using SSO (and passing the name across without knowledge or consent of the user) it’s arguably not a privacy breach because they provided this at account creation for their profile.

I can understand that it’s unexpected and deviates from the expectations set out by the option to prevent usernames or names, but that isn’t the same thing.

Discourse isn’t really the place for private or sensitive information. If you’re really worried about the names of users getting “out” drop into the rails console and remove them from the database.

Full names are passed off of another system, but it’s strange that the name is placed in a span with the fitting name “full-name”. Doesn’t that implicitly mean that it should be disabled in Discourse? “enable names” setting is not checked in settings.

No matter what, I think it’s a “nobrainer” that admins should have a capability to hide the users full name, even if it’s inserted by the user or not.

It’s difficult to diagnose the cause of this, so any help is appreciated :slight_smile:

Yes, it is a bug and will be fixed. Thanks for reporting it!

2 Likes

Good. Looking forward to this update. ETA?

@wire Opened a PR :slight_smile:

https://github.com/discourse/discourse/pull/7245

8 Likes

PR is merged. Thanks @venarius :heart:

@wire updating to latest version will fix this issue.

8 Likes