Support

Akeeba Ticket System

#17452 Email as username in ticket user information [Feature Request]

Posted in ‘Akeeba Ticket System for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Ticket System version
n/a

Latest post by nicholas on Wednesday, 11 September 2013 11:55 CDT

Wednesday, 11 September 2013 09:31 CDT

rvbgnu
Hi Nicholas,

Thank you for this great ticket system to work with another great Subscriptions manager (even if much more expensive now ;)

When setting up in AK Subs "Email as username", that becomes the full user name. Then in ATS, everyone can see the email address. Any clever idea to make it more safe?

Of course, a template override can work around for a while.

NB: I have read this ticket
https://www.akeebabackup.com/support/akeebatickets/16191-username-in-ats.html
and I do agree more or less with the "minor security issues" you stated.

What about showing:
- a new "Display Name" field in ATS, so that the user himself decide if he/she discloses some privacy or not
- for non logged in user (web visitor) a cloaked or obfuscated "username" (will work without AK SUBS) or make sure that this not an email address (will work with any other extension extending the joomla registration)
- for front-end staff with ATS, the full info: Name, username, email (and let's push into AK Subs feature request, a link to subscription details from front-end 8-)
- for logged in users, maybe something different, depending on ACL (allow to post ticket?)

Please note that this are NOT a fully mature suggestions!!

Kind regards,
Hervé

Wednesday, 11 September 2013 11:55 CDT

nicholas
First, thank you for your kind words!

When setting up in AK Subs "Email as username", that becomes the full user name. Then in ATS, everyone can see the email address. Any clever idea to make it more safe?


Being dangerously close to stating the obvious, you have to not use the "Email as username" option in Akeeba Subscriptions. ATS is only a tiny aspect of the site where the usernames (ergo, email addresses) can be seen. I generally consider the "Email as username" option a Very Bad Idea(tm). It's only there because some people wouldn't stop whining how much they need it. Well, here it is, complete with all the problems that I had already thought of and made me not want to implement this feature in the first place.

Regarding all other alternatives, it's one worse than the next. Disclosing the user ID? It's hacker's paradise. Disclosing the real name? You can even get in legal trouble. Email address? You have to deal with spammers. The only safe choice is the username, as long as it's not an email address. You see where this is going, right?

So, you either remove that option or force private tickets to all of your categories.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!