Notification/Watchlist privacy

Our XWiki is about personal health data. In that respect we have privacy-sensitive pages.

We are triggered by one of our users discussing the ‘watchlist’ notification.
In the default notification very detailed information is put in the message and in our case send out via email. (hourly, daily or weekly)
This email seems to be a plain-text (or HTML, plain text message) and as such readable by interceptors of such a email.

Has anybody looked at this and what is the general idea?

Suggestions at our site are to make the notification/watchlist message Less informative, like:
‘something is changed in page xxxxx’ (where xxxx is a link to the page with the pretty-title as label)
And explain users that they can use the ?viewer=history and within that screen the compare to find the actual detailed changes.

Not if you use SSL/TLS.

You can configure the watchlist/notifications mail templates, see for ex:

Thx

In our Administrator page: Email, Mailsending, additional properties we have:
mail.smtp.starttls.enable=true

Does this mean we use SSL/TLS?

I’d say yes, see https://extensions.xwiki.org/xwiki/bin/view/Extension/Mail%20Application#HMailSending

thx, usefull.

Still the technical transport might be safe, but the information ends in somebody’s inbox which we assume LESS safe. Many people do not really have a strict security on their email environments and we read enough about attacks on these email-providers.

The Information about how to modify the content is very useful, but before modification we are interested in policies that drive such a modification…

So please share how anybody has motivated such a modification?

By default, you don’t display a lot of information, see: https://extensions.xwiki.org/xwiki/bin/view/Extension/Notifications%20Application/#HSelectthelevelofdetailsaboutthechanges

Hi Guillaume, in the example about details it shows exactly what I mean. User account changed and the notification show the actual attributes of the object changed. Old value and new value.

This is GDPR sensitive data when viewed by unauthorized person .

What we would like:
Account information changed on date/time by user xxxx
No more details about what was changed…

So ‘nothing’ would be perfect for our use case. Is this functionality in XWiki 8.4.x ?

No, the notifications have been introduced in the 9.x cycle. So it means you use the Watchlist (https://extensions.xwiki.org/xwiki/bin/view/Extension/Watchlist%20Application). As Vincent said, for the Watchlist, you need to customize the template: https://extensions.xwiki.org/xwiki/bin/view/Extension/Watchlist%20Application#HAdministrators:CustomizingtheWatchListemailtemplate