-
Bug
-
Resolution: Duplicate
-
Medium
-
None
-
3.2.1
-
None
We have a Confluence site and noticed the following. When a user uses their email address as their username, that email address will then be exposed in certain links. An example would be the 'View User Profile' link:
https://www.<DOMAIN>/confluence/users/viewuserprofile.action?username=<FULL EMAIL ADDRESS>
The email address of the user is hidden in the page, but what good is it if the username (email address) is visible in the URL itself?
I do understand that users do not have to use their email address as a username, but why would Atlassian provide a 'Same as email' button when users sign up given this possibility?
Please address this issue and let me know what will be done to resolve this.
Thanks,
– Jason
- duplicates
-
CONFSERVER-7062 Spam/privacy risk from using email as username on public instances should be empahsised
- Closed
- is blocked by
-
- Closed
Hi Jason,
Thanks for reporting this issue. Unfortunately, Confluence usernames are the only data element that can be used to uniquely identify a user (ie. we do not use an underlying unique key to identify the user), which is why the username has to be embedded URL. We would not be able to change this until work to re-implement Confluence usernames is performed (see
CONF-4063).Your suggestion of highlighting the potential privacy issues in username signup has already been suggested as
CONF-7062.I am going to close this issue as a duplicate, but please feel free to re-open it if you wish to discuss further.
Regards,
Joe.