Privacy concerns: users details are visible through console

Hi guys,
An external user can see sensitive details of all account users through the console, including email, first name, last name, last visit etc

You can check that with /api/user and then org.users

Is it expected?

1 Like

Hey @Oleksandr_Dovgopol - thanks for flagging this! You should be able to prevent this by specifically disabling "View users page with emails" in the "Additional" settings for the "All Users" permission group.

image

We will be updating the default value for this field, as well!

Thank you Darren! It solved this issue. Great!

1 Like