Accounts with email set to "Do not show on profile" have addresses exposed in public atom feed
This is a user reported issue via the security mailing list.
When a user has the profile setting "public email -> do not show in profile" enabled their email address is still made public via the atom feed for their account when they have commented on a public project. Running:
curl https://instance/user.atomWill expose their primary email address.
How to duplicate:
*) Create an account with the default "Do not show on profile" setting for the email address. *) Comment on a public project. *) Log out and view your atom feed: https://host/user.atom