From 2f471155b8a1dc078c0fda2ff57a83a942ca837a Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 8 Jun 2026 18:09:40 +0200
Subject: [PATCH] =?UTF-8?q?fix(review):=20replace=20email=20fallback=20wit?=
 =?UTF-8?q?h=20[Unbekannt]=20in=20AuthorView=20=E2=80=94=20prevents=20CWE-?=
 =?UTF-8?q?359=20leak?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../raddatz/familienarchiv/geschichte/GeschichteService.java  | 2 +-
 .../familienarchiv/geschichte/GeschichteServiceTest.java      | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/backend/src/main/java/org/raddatz/familienarchiv/geschichte/GeschichteService.java b/backend/src/main/java/org/raddatz/familienarchiv/geschichte/GeschichteService.java
index 37a1b75f..038346c9 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/geschichte/GeschichteService.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/geschichte/GeschichteService.java
@@ -78,7 +78,7 @@ public class GeschichteService {
         if (author != null) {
             String displayName = ((author.getFirstName() != null ? author.getFirstName() : "")
                     + " " + (author.getLastName() != null ? author.getLastName() : "")).trim();
-            if (displayName.isBlank()) displayName = author.getEmail();
+            if (displayName.isBlank()) displayName = "[Unbekannt]";
             authorView = new GeschichteView.AuthorView(author.getId(), displayName);
         }
         return new GeschichteView(
diff --git a/backend/src/test/java/org/raddatz/familienarchiv/geschichte/GeschichteServiceTest.java b/backend/src/test/java/org/raddatz/familienarchiv/geschichte/GeschichteServiceTest.java
index 19c72c15..f72c7040 100644
--- a/backend/src/test/java/org/raddatz/familienarchiv/geschichte/GeschichteServiceTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/geschichte/GeschichteServiceTest.java
@@ -123,7 +123,7 @@ class GeschichteServiceTest {
     }
 
     @Test
-    void getById_author_displayName_falls_back_to_email_when_names_blank() {
+    void getById_author_displayName_falls_back_to_Unbekannt_when_names_blank() {
         authenticateAs(reader, Permission.READ_ALL);
         UUID id = UUID.randomUUID();
         Geschichte published = published(id);
@@ -133,7 +133,7 @@ class GeschichteServiceTest {
 
         GeschichteView result = geschichteService.getById(id);
 
-        assertThat(result.author().displayName()).isEqualTo("anon@test");
+        assertThat(result.author().displayName()).isEqualTo("[Unbekannt]");
     }
 
     @Test