I just learned that users in trust level 3 do not have nofollow on the links that they post, but there’s no option for me to configure this at all.
Considering my site is extremely reliant on Google traffic, I really don’t want users on the forum having the ability to build SEO links. (even if I do trust the current “leaders” on my forum), it’s not the point.
temporary fix would be raising TL3 requirements for the time being 
Well yeah, but since we already gave those people leader role it seems crappy to take it away.
We can add a site setting, but making all the copy everywhere dynamic is going to be tricky.
A site setting would definitely be a good solution.
Google themselves, and Matt Cutts personally, have told me many times that Google believes trusted users should have followed links. I can dig up the exact quotes if that helps.
Found this on MSE:
… we’re trying to encourage sites with valuable user-generated content (like Stack Exchange) to have a more nuanced approach to the nofollow attribute on user-generated links. Using the attribute on all user-generated links takes away a big incentive from spammers, and prevents spammy links from being included in search ranking. However, good links can also be made invisible to search engines with this policy, so we miss out on that ranking signal, which could be used to surface better or fresher high-quality content that your users are recommending.
Yeah, sure. Google wants their job to be easier, and regular links help them figure out rankings more easily.
They don’t help me, however.
Here’s the full email from Matt Cutts, dated 11/3/2011
Hey Jeff, we’re trying to encourage sites with valuable user-generated content (like Stack Exchange) to have a more nuanced approach to the nofollow attribute on user-generated links. Using the attribute on all user-generated links takes away a big incentive from spammers, and prevents spammy links from being included in search ranking. However, good links can also be made invisible to search engines with this policy, so we miss out on that ranking signal, which could be used to surface better or fresher high-quality content that your users are recommending.
Would you be willing to try a slightly different approach? We’d like to recommend lifting the nofollow attribute on links posted by your most trusted users. So for example, right now it looks like all links in user comments are nofollowed. Since your readers are the type who could be posting links to resources that might be more obscure or hard to search for, it’d be great if we could be able to follow those links to use in discovery and ranking–if the user is high-quality. Links that we’d want to see could come from users who have been posting for a while with ever having their comments removed for spam, and users who use real names or nicknames (rather than names like “cheap furniture” or “web design”).
Let me know what you think, and hope you’re doing well,
Matt
There’s a HUGE difference between trusted users on Stack Exchange and trusted users on a forum, and even more so with the current implementation.
On Stack Exchange users are expected to answer really tough questions with really solid, well-written answers if they want to get any upvotes. That requires skill and dedication, and the scale of their user base means that it’s really likely that somebody would have noticed some spam links somewhere.
And it’s worth noting that Stack Exchange didn’t just make all “trusted” users have followed links. Read the meta post. They did it for Posts that are considered Reputable…
Starting today we will be removing nofollow on links within posts that hit a high enough threshold to be considered reputable. The details will remain somewhat vague at the moment to discourage gaming of this feature.
On a forum, people post conversational things that are sometimes Liked. The most likes are usually reserved for a funny picture and a witty retort. Not exactly the stuff of high-quality link building.
…
On Discourse, all you need to do to be a “leader” is post 10 replies. (and yeah, visit and “read” a bunch, but that could be easily automated with a bot.)
A clever spammer just needs to get involved in every DIscourse forum enough to post 10-20 times, get some people to hit Like once… and then run a bot that checks the page every day for 100 days. Then they can post links without nofollow.
I’m going to dramatically change the requirements for becoming a Leader on my forum.
Just a reminder that we are a 100% JavaScript project, so being a “bot” against us means running a full browser, with full JavaScript, the DOM, GUI, etcetera. You’d have to basically script a browser running in Linux, Windows or OSX.
If you can show me evidence of anyone running a bot successfully against us, I’d love to see it – even human spammers barely try more than a few times, much less for 100+ days, with all the read count, like, flag, read time, etc requirements we have at each trust level.
To pull of something like that, you wouldn’t have to be a clever spammer, you’d have to be the most dedicated, smartest spammer in the world. And I’m pretty sure there’s way lower hanging fruit out there – why bother with the door that has 3 locks when most people leave the door unlocked?
No, you must do all of the following:
TL1
TL2
TL3… now they can. all of the previous levels must be met.
We’ll look at it, but do those spammers have even TL1?
So does the 10 topics not include the 3 from TL2? Or does it even matter? There’s not really a difference between replying 10 times or 13 times.
13 posts does not a trusted leader make.
I mean, that’s a whopping 260 minimum required characters. That’s like 30-40 words?
And definitely not trusted enough to start handing out regular follow links.
I’d also like to point out that it’s only a matter of time before bots are being written in Javascript. You keep using that argument, which ironically will be proven wrong by Atwood’s law.
I mean, they’ve already started hijacking Chrome / Firefox extensions and turning your browser into monitor of everything you look at, or injecting ads into sites you visit, or worse…
There’s a huge problem with spammers on Facebook and other sites tricking people into auto-liking stuff to make it go viral.
And writing a browser extension is really easy.
OK, but none of that is material; if your main beef is that follow is the worst most dangerous tool in the world and nobody can be trusted with it, ever, then lobby for that setting as a global.
I don’t think it makes sense to gut leader, and your community, just out of fear.
(And the reason I make that argument is because when you take away your low-hanging fruit, the bad guys will always go after the infinity of other low-hanging fruit before bothering with you, because they’re lazy, and easy fruit is easy. I’m pretty sure I’ll be dead, and so will you, before the rest of that easy stuff is gone…)
Wasn’t that what I did in the first place?
And I would like to leave everything else the way it was. I just don’t want followed links by forum users, period.
I don’t know why I have to fight for every tiny little thing.
But seriously, why not trust your most avid users a bit? Do they really have a habit of posting questionable links?
You saw what Matt Cutts said about this. And looking at the list of Leaders on your site, it’s a valid list.
My big concern here is copy, the global is trivial but having dynamic copy everywhere is a huge PITA.