On Sat, Nov 15, 2025, 17:36 Jelte Fennema-Nio <
me@jeltef.nl> wrote:
Yes, IIRC we had security complaints about people being able to enumerate all users without being logged in. Since it's not just users who submitted any data, it was enough to just having clicked a link once...
I think the "without being logged in" is a pretty tiny hurdle for anyone interested in this data. It's trivial to create one. IMO pretending that locking it down behind a login improves security/privacy is actively unhelpful to anyone worried about that. And at the same time it breaks the experience for non-logged in users, without letting them know that they should log in.
Agreed in principle, but it does make it a lot easier for scrapers. And I think that was the main concern at the time (it's been a while so my memory could be off on the details of course).
I'm kinda curious who's actually worried about that data being public though. It's only names and usernames.
Again with the bad memory, but could it be that it at one point included emails, and we have independently changed that?
If it was restricted to only show those that had actually submitted into it would've probably been considered OK - but at the time it was not considered to be worth the effort to split those up.
I might just go and do that.
I think that would remove the whole argument so yeah if that ends up not being too hard it's probably the easiest way out.
/Magnus
