Problem/Motivation
Usernames are somewhat important, especially for brute force attacks. Although the Drupal security team does not consider exposure of usernames a weakness, we should still make a best effort to add a capability to hide them.
Proposed resolution
Base the ability to view usernames off the "view label" entity access operation introduced in New 'view label' entity access operation added.
See also #849602-59: Update 'username' theme template to use 'view label' operation.
Remaining tasks
-
Data model changes
Original report by greggles
Usernames are somewhat important, especially for brute force attacks.
There are a few callbacks in contributed modules that let people see usernames that I would like to change to "access user profiles". We need core to be consistent on this front first, though.
theme_username currently does some access checking to determine whether or not to link to the profile. I suggest we also check to see whether or not the user should be allowed to see the username.