Email address is exposed for the first user setting the campfire instance up.

[kedihacker]

When I set up my campfire instance and logged out(or viewed it in a private window), I could see the address visible by default and there is no warning and no setting to hide it. My recommendation would be to add a warning to the readme as a rapid response then change the set up flow to ask for consent.

[XanderStrike]

I agree this is surprising and undesirable default behavior. Not only is it leaking my email it's also leaking the admin login to anyone who views the login page.

You can edit the contents of app/views/accounts/_help_contact.html.erb to customize or eliminate this message.

[nathanp]

It won't truly hide from someone who knows of this issue, but visually you can hide it from your users with this CSS until there's an update:

/* Visually hide admin user from login screen */
.txt-align-center.margin-block-double.full-width .btn.center {
   display: none;
}

[monorkin]

Hi everyone, the admin's email address is publicly visible so that people who forgot their password have someone to reach out to for support - see #16

We intend to keep it this way for now.

[kedihacker]

I only care about not being informed about this.

[monorkin]

I added a callout in the Readme in a80c6d7 and tagged you as the co-author there.

[nealhead]

Hi everyone, the admin's email address is publicly visible so that people who forgot their password have someone to reach out to for support - see #16

We intend to keep it this way for now.

This makes sense, better user management like a password reset function via SMTP would be ideal.

[monorkin]

We'll see what we can do. So far we've leaned toward transaction email being an option, not a requirement, to run Campfire.

[archvalmiki]

I wish there was at least an OPTION to hide that email . Or provide a DIFFERENT email than the login email of the admin. The current setup is waiting for an attack vector if the app is deployed at a public endpoint with a domain (which is what the default setup creates).

This seems like bad design :/
Without this, we will have to setup aliases or hide this app in a private network. Bummer.