Is it a security violation to show a directory of users?


(Jason May) #1

Beautiful. But as @watchmanmonitor said there should be an admin option to restrict visibility of the user directory.


User directory feedback
(Jeff Atwood) #2

I don’t really understand the reasoning behind “this should be hideable”.

You can get the same info by visiting user pages, so you’d need to hide all user pages, too.


(Allen - Watchman Monitoring) #3

People aren’t really going to take the time to visit every single page, and if someone just wants to be a lurker, they’d never be discovered by their posts (but would ostensibly be visible at the bottom of the list).

From a privacy and data harvesting point of view, I know that another group I’m setting up on discourse would not be OK with someone being able to view the entire directory.


(Jeff Atwood) #4

Still, that’s security-by-illusion. If someone wanted to bad enough, they could hit the API to pull the users.


(Allen - Watchman Monitoring) #5

Where are these users getting an API key?


(Jeff Atwood) #6

Just add .json to any URL and see what happens! No need for authentication (api key) for this use of the API. This user data is 100% public, if someone wants it, they can get it. Regardless of whether the /users page is visible or not.


(Allen - Watchman Monitoring) #7

We’re going down a rabbit hole here. Presenting this data in such a useful, beautiful, inviting way* is far different than someone discovering the API and making thousands of while guesses as to the names of all users.

*this really is a great feature.


(Jeff Atwood) #8

No no, using the anonymous API they can enumerate all the users. Perhaps I wasn’t clear. No guessing is involved at all.


(Michael Downey) #9

Regular humans won’t bother doing this.


(Allen - Watchman Monitoring) #10

oy vey. I’ll burn that bridge later… I’m really not worried about API use.


(Sander Datema) #11

A simple use case then:

A company has clients and for every group a special category that only the members of that group can see. No need to see who else is a client of that company.


(Jens Maier) #12

Frankly, if you’re worried about security or confidentiality, you must worry about a motivated attacker. As long as the API allows anonymous enumeration of users and anonymous access to user profiles, hiding stuff from the GUI is just pointless; in fact, I think it’s better to put it out there so that all users realize what kind of information about them is publicly visible.

However, this does in no way mean that this level of security is pointless in general. If you’re building a site with strong confidentiality requirements, then those are the requirements you need. No ifs or buts, noone’s arguing against your needs, it’s your decision. But right now, Discourse simply doesn’t provide this feature yet and security is too important for a bandaid solution.

…

All that said… having a site setting to disable the directory is still a good idea, even if only because some people may consider it clutter and want to remove that entry from the menu. Also, one could argue that the directory might cause previously peaceful users to look for shortcuts to compete for the top spots, thus lowering overall content quality.


(Allen - Watchman Monitoring) #13

I’m more concerned with idle gossip and petty frustrations between users. This /users thing is really nice, but just a source of distraction in an otherwise dedicated group. I just don’t want to have to deal with this, if it can be avoided.

Of course, from a forum admin point of view, and to see my standing on meta, it’s very interesting data that I’m glad was surfaced.

EDIT Added my hypocrisy :wink:


(Michael Downey) #14

It’s pretty much the same rationale for making the badge system optional. Admins should able to opt-in to “competetive” natured components.


(Jeff Atwood) #15

Yes, but you are basing this on… what data?

Who is to say there will be a problem? How would they know this page even exists? It’s not exactly listed in the topnav…


(Michael Downey) #16

Yes it is, under “Users”. :slight_smile:


(Jens Maier) #17

That’s the hamburger menu… :smiley:


(Jeff Atwood) #18

I would rather institute this option based on evidence of an actual problem instead of “we are guessing what will happen”.

I don’t like options explosions, we have enough as it is.


(Dean Taylor) #19

I think this whole topic is foolish.

Does it violate a user of a public forum to display their public activity in a public list?

I think not, especially considering that all the same information is already displayed elsewhere(1) within(2) the(3) site(4) without(5) use(6) of(7) any(8) public(9) API.
(with one exception “Topics Entered”).

Yes, it’s not collated in one place - but it’s still there.

These “people” can always use CSS to hide the menu option, even if there isn’t an admin option to hide it.

#site-map-dropdown a[href="/users"] {
  display: none;
}

(Kane York) #20

Don’t forget:

  • Load the latest topics list until you’ve seen last month
  • Open all the topics and record the list of users
  • Profit??? Probably not…