When enable names is disabled, and users have supplied a full name, the full name shows up when links to the user’s profile are oneboxed. The setting’s description says “Disable to hide full name everywhere”, so this seems like a bug.
Thank you for your answer. To clarify: I have not checked that setting, and still the usernames are shown in the card. So, yes, this seems like an unpleasant bug.
@simon I need to push this further, as it’s a very bad privacy breach.
Are you saying that this is a bug which will be fixed anytime soon? Or, are you saying that the setting “enable names” need to be checked (in other words: the semantics are reversed) to fix this?
Unless you’re using SSO (and passing the name across without knowledge or consent of the user) it’s arguably not a privacy breach because they provided this at account creation for their profile.
I can understand that it’s unexpected and deviates from the expectations set out by the option to prevent usernames or names, but that isn’t the same thing.
Discourse isn’t really the place for private or sensitive information. If you’re really worried about the names of users getting “out” drop into the rails console and remove them from the database.
Full names are passed off of another system, but it’s strange that the name is placed in a span with the fitting name “full-name”. Doesn’t that implicitly mean that it should be disabled in Discourse? “enable names” setting is not checked in settings.
No matter what, I think it’s a “nobrainer” that admins should have a capability to hide the users full name, even if it’s inserted by the user or not.
It’s difficult to diagnose the cause of this, so any help is appreciated