Menu

#404 Adding configuration for keeping email address private (GDPR)

None
closed
nobody
e-mail address (1) GDPR (1)
1
2019-08-24
2019-08-22
Paolo Nesti Poggi
No

Hi,
I find that it is no longer in touch with times that e-mail addresses of all the other users of the system are shown to everybody.
I would like to have a global config for:
$hide_users
that avoids outputting all the users info to everybody in edit_users.php.

Here is a very simple diff for that:

diff --git a/edit_users.php b/edit_users.php
index d2483d5..db2b27f 100644
--- a/edit_users.php
+++ b/edit_users.php
@@ -183,9 +183,15 @@ function output_row(&$row)
 {
   global $ajax, $json_data;
   global $fields, $ignore_columns, $select_options;
+  global $hide_users;

   $values = array();

+  // If stricter privacy is required do not output all the users's rows
+  if (!can_edit_user($row['name']) && $hide_users)
+  {
+    return;
+  }
   // First column, which is the name
   // You can only edit a user if you have sufficient admin rights, or else if that user is yourself
   if (can_edit_user($row['name']))
diff --git a/systemdefaults.inc.php b/systemdefaults.inc.php
index 7806a63..07a827a 100644
--- a/systemdefaults.inc.php
+++ b/systemdefaults.inc.php
@@ -440,6 +440,8 @@ $default_report_days = 60;
 $show_plus_link = false;   // Change to true to always show the (+) link as in
                            // MRBS 1.1.

+// Enforce a stricter privacy, do not show other users info (notably e-mail address) to non-admin users.
+$hide_users = false;

 // PRIVATE BOOKINGS SETTINGS

Hope it can be accepted
Thanks,
Paolo

Discussion

  • Campbell Morrison

    Campbell Morrison - 2019-08-23

    You mean you want something different from $auth['only_admin_can_see_other_users']? That setting won't show the other users at all, but your setting looks like it will show the username but no other details. Is it useful knowing just the username?

     

  • Paolo Nesti Poggi

    Paolo Nesti Poggi - 2019-08-24

    Actually it removes the whole row as it returns before outputting it.
    But, yes, $auth['only_admin_can_see_other_users'] is the right config. I had not seen it and I had mistaken: $min_user_viewing_level for the only setting one could use in that regard, and it is for something else.
    So, please just disregard this request, $auth['only_admin_can_see_other_users'] is all what I need.

     

  • Campbell Morrison

    Campbell Morrison - 2019-08-24
    • status: open --> closed
    • Group: -->