User email addresses can be retrieved through the REST interface without authentication

Description

Description of problem:
Translation resources requested on the REST interface include user email addresses. This doesn't seem like something we want to be sharing without users specifically agreeing that their email address should be shared. No authentication is required to retrieve the resource that shows the email address.

Steps to Reproduce:
1. Find a document that has had at least one text flow translated in the editor.
2. Retrieve translations in JSON format.

Here is an example in production:
curl -i -H "Accept: application/json" https://translate.zanata.org/zanata/rest/projects/p/jdf/iterations/i/WhatIsTicketMonster_1.0/r/Building_The_Business_Services_With_JAX-RS.odt/translations/ja > output

(look in ./output for email addresses).

Generic command for any server/project/version/document (substituting in appropriate values for anything in the form "<...>"):

curl -H "Accept: application/json" <zanata-server>/rest/projects/p/<project-id>/iterations/i/<version-id>/r/<document-id>/translations/<locale-id>

3. Inspect the response for an email address (e.g. search for '@')

Actual results:
Email address is shown in the "translator" section for any translated textFlowTargets.

Expected results:
User emails are not available through the REST interface without appropriate authentication (i.e. user's own email, or administrator privileges).

Environment

None

Assignee

Patrick Huang

Reporter

David Mason

Tested Version/s

None

Components

Priority

unspecified
Configure