User autocomplete exposes usernames/emails without proper access control

Created on 4 August 2025, 15 days ago

Problem/Motivation

When using the autocomplete widget for the author field (or any entity reference field pointing to user entities), Drupal currently exposes users' names to any role that has access to use this widget, regardless of whether that role has the administer users permission. This creates a privacy concern because it allows editors or users with access to the field to discover other users' identities by typing into the autocomplete box. In some setups — like ours — the email is stored as the username, so the autocomplete effectively leaks personal identifiable information (PII). Malicious users could also scrape the endpoint behind the autocomplete and harvest user data.

Steps to reproduce

Have user accounts in Drupal with private names/emails.
Give a non-admin role access to a node form with the author autocomplete field enabled.
As a user with that role, start typing in the author autocomplete field.
Observe that full names/usernames/emails of users pop up that the role should not have permission to view.

Proposed resolution

Add a specific permission (e.g. access user autocomplete) which controls who can see results returned by user autocompletes.
Restrict the autocomplete to only show the current user unless the access user autocomplete permission is granted.
Allow configuration to limit search to specific roles (e.g. only users with role X may appear in autocomplete).
Alternative option: add a permission to select from all users, but add another permission to select from only users within same role or group.
Optionally provide an API hook to alter autocomplete results programmatically.

The name should also validate that it does not contain any email or sensitive information.

Remaining tasks

Discuss and specify new permission names.
Implement permission check on the autocomplete endpoint.
Write/update automated tests.
Document the behavior change in release notes.

User interface changes

UI for permissions page will display a new permission checkbox.
Autocomplete field will show fewer or no results depending on user’s permissions.

Introduced terminology

Access user autocomplete – new permission controlling visibility of user suggestions in autocomplete fields.

API changes

New permission added to user.permissions.yml.
Autocomplete route callback updated to check new permission.
Potential new hook: hook_user_autocomplete_alter() to customize the results.

Data model changes

None.

Release notes snippet

Autocomplete fields referencing user entities are now protected by a new permission Access user autocomplete. Users without this permission will no longer be able to discover usernames/emails through autocomplete suggestions. If your site relies on existing behavior, grant the permission to appropriate roles after upgrade.

🐛 Bug report

Status

Active

Version

10.4 ✨

Component

ajax system

Created by

🇪🇸Spain eduardo morales alberti Spain, 🇪🇺

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @eduardo morales alberti
Comment 15 days ago →
🇪🇸Spain eduardo morales alberti Spain, 🇪🇺
Comment 15 days ago →
🇪🇸Spain eduardo morales alberti Spain, 🇪🇺
Comment 15 days ago →
🇪🇸Spain eduardo morales alberti Spain, 🇪🇺
Comment 15 days ago →
🇪🇸Spain eduardo morales alberti Spain, 🇪🇺
As the user should assume that the name could be public, it should not be a risk, just a feature and something to take into account, and never use on a public field sensitive information like emails.
Comment 15 days ago →
🇪🇸Spain eduardo morales alberti Spain, 🇪🇺
Comment 15 days ago →
cilefen
This looks like a duplicate of ✨ Entity reference autocomplete cause the user data leak Active . Can you verify?
Comment 15 days ago →
🇪🇸Spain eduardo morales alberti Spain, 🇪🇺
Yes, true
Comment 15 days ago →
cilefen

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024