Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-20157

Email address exposure even when the user specifies they want their email address hidden

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Medium Medium
    • None
    • 3.2.1
    • None

      We have a Confluence site and noticed the following. When a user uses their email address as their username, that email address will then be exposed in certain links. An example would be the 'View User Profile' link:

      https://www.<DOMAIN>/confluence/users/viewuserprofile.action?username=<FULL EMAIL ADDRESS>

      The email address of the user is hidden in the page, but what good is it if the username (email address) is visible in the URL itself?

      I do understand that users do not have to use their email address as a username, but why would Atlassian provide a 'Same as email' button when users sign up given this possibility?

      Please address this issue and let me know what will be done to resolve this.

      Thanks,
      – Jason

            [CONFSERVER-20157] Email address exposure even when the user specifies they want their email address hidden

            Joe Clark added a comment -

            Hi Jason,

            Thanks for reporting this issue. Unfortunately, Confluence usernames are the only data element that can be used to uniquely identify a user (ie. we do not use an underlying unique key to identify the user), which is why the username has to be embedded URL. We would not be able to change this until work to re-implement Confluence usernames is performed (see CONF-4063).

            Your suggestion of highlighting the potential privacy issues in username signup has already been suggested as CONF-7062.

            I am going to close this issue as a duplicate, but please feel free to re-open it if you wish to discuss further.

            Regards,
            Joe.

            Joe Clark added a comment - Hi Jason, Thanks for reporting this issue. Unfortunately, Confluence usernames are the only data element that can be used to uniquely identify a user (ie. we do not use an underlying unique key to identify the user), which is why the username has to be embedded URL. We would not be able to change this until work to re-implement Confluence usernames is performed (see CONF-4063 ). Your suggestion of highlighting the potential privacy issues in username signup has already been suggested as CONF-7062 . I am going to close this issue as a duplicate, but please feel free to re-open it if you wish to discuss further. Regards, Joe.

              Unassigned Unassigned
              4bd9db66756a Jason
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: