Display of user specific sensitive info to all the user

[sivtechrepo]

Describe the Bug: GoAlert application provides the user information under Users menu. All the logged-in users are able to see other users sensitive information like phone number, email. Usually, voice calls are linked with personal numbers in the user profile. Display of phone number pose great threat as its PII data.

Steps to Reproduce:

1. Go to 'User'
2. Click on any 'User'
3. Scroll down to 'Contat Methods or Notification Rules'
4. See Phone numbers of the other users being displayed

Expected Behavior: Usually, phone number should be visible only to the own users or data admin users

Observed Behavior: Currently, phone number is visible to all the users of the system

Screenshots/Stack Traces: If applicable, add screenshots and/or stack traces to help explain your problem.

Application Version: Output of goalert version and/or version information from view-source on the UI.

$ goalert version v0.29.0

Additional Context: Add any other context about the problem here.

[mastercactapus]

Would it be acceptable to allow marking a contact method as private?

That would give an opt-in way to mark specific numbers (e.g., a roommate or friend's number) but still allow looking up direct numbers during critical situations.

[mastercactapus]

Proposal:

• Add a Private checkmark to the CM create/edit dialog
• Private numbers/cm values hidden in UI (and from API) for non-owning user
• Add a includePrivate option in schema, only available to admins (or a read-only admin role)

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity.