publically available usernames are a security risk

2006-08-22T07:36:46
ID ATLASSIAN:JRASERVER-10932
Type atlassian
Reporter moodler
Modified 2017-02-20T04:38:55

Description

The login username of users is revealed all over the place (in URLs that link to user profile, or user's list of assigned open bugs etc).

This seems to be a big security risk, because you have given away half of the user identification to strangers.

Anybody can look up a user in the issue tracker and find out what username they have (possibly on an external system, LDAP or otherwise).

Instead, you should be using an internal userid for these links.