The User data structure could potentially leak Identity information

(Bug, To be Fixed , Priority: Medium, Test Status: No automated tests yet , Reported By Justin du Coeur, )
Users and Identity
Summary: We pass the User trait to a number of subsystems, which is okay in principle, but that trait exposes the Identities for that User. This makes it too easy to accidentally compromise the Identity firewalls.
The fix is conceptually straightforward: lift a slimmer trait out of User, that doesn't have any inherent Identity information. (And possibly a variant that is a User plus a single Identity.) This is likely to break lots of code, but we're going to have to cope with that. Identity lookups should necessarily go through the Identity subsystem, so that you can't trivially divulge the wrong Identity by accident.