Is it a security violation to show a directory of users?

Beautiful. But as @watchmanmonitor said there should be an admin option to restrict visibility of the user directory.

1 Like

I don’t really understand the reasoning behind “this should be hideable”.

You can get the same info by visiting user pages, so you’d need to hide all user pages, too.

People aren’t really going to take the time to visit every single page, and if someone just wants to be a lurker, they’d never be discovered by their posts (but would ostensibly be visible at the bottom of the list).

From a privacy and data harvesting point of view, I know that another group I’m setting up on discourse would not be OK with someone being able to view the entire directory.

1 Like

Still, that’s security-by-illusion. If someone wanted to bad enough, they could hit the API to pull the users.


Where are these users getting an API key?

Just add .json to any URL and see what happens! No need for authentication (api key) for this use of the API. This user data is 100% public, if someone wants it, they can get it. Regardless of whether the /users page is visible or not.


We’re going down a rabbit hole here. Presenting this data in such a useful, beautiful, inviting way* is far different than someone discovering the API and making thousands of while guesses as to the names of all users.

*this really is a great feature.

1 Like

No no, using the anonymous API they can enumerate all the users. Perhaps I wasn’t clear. No guessing is involved at all.

Regular humans won’t bother doing this.

1 Like

oy vey. I’ll burn that bridge later… I’m really not worried about API use.

A simple use case then:

A company has clients and for every group a special category that only the members of that group can see. No need to see who else is a client of that company.


Frankly, if you’re worried about security or confidentiality, you must worry about a motivated attacker. As long as the API allows anonymous enumeration of users and anonymous access to user profiles, hiding stuff from the GUI is just pointless; in fact, I think it’s better to put it out there so that all users realize what kind of information about them is publicly visible.

However, this does in no way mean that this level of security is pointless in general. If you’re building a site with strong confidentiality requirements, then those are the requirements you need. No ifs or buts, noone’s arguing against your needs, it’s your decision. But right now, Discourse simply doesn’t provide this feature yet and security is too important for a bandaid solution.

All that said… having a site setting to disable the directory is still a good idea, even if only because some people may consider it clutter and want to remove that entry from the menu. Also, one could argue that the directory might cause previously peaceful users to look for shortcuts to compete for the top spots, thus lowering overall content quality.


I’m more concerned with idle gossip and petty frustrations between users. This /users thing is really nice, but just a source of distraction in an otherwise dedicated group. I just don’t want to have to deal with this, if it can be avoided.

Of course, from a forum admin point of view, and to see my standing on meta, it’s very interesting data that I’m glad was surfaced.

EDIT Added my hypocrisy :wink:

1 Like

It’s pretty much the same rationale for making the badge system optional. Admins should able to opt-in to “competetive” natured components.


Yes, but you are basing this on… what data?

Who is to say there will be a problem? How would they know this page even exists? It’s not exactly listed in the topnav…

1 Like

Yes it is, under “Users”. :slight_smile:

1 Like

That’s the hamburger menu… :smiley:

1 Like

I would rather institute this option based on evidence of an actual problem instead of “we are guessing what will happen”.

I don’t like options explosions, we have enough as it is.


I think this whole topic is foolish.

Does it violate a user of a public forum to display their public activity in a public list?

I think not, especially considering that all the same information is already displayed elsewhere(1) within(2) the(3) site(4) without(5) use(6) of(7) any(8) public(9) API.
(with one exception “Topics Entered”).

Yes, it’s not collated in one place - but it’s still there.

These “people” can always use CSS to hide the menu option, even if there isn’t an admin option to hide it.

#site-map-dropdown a[href="/users"] {
  display: none;

Don’t forget:

  • Load the latest topics list until you’ve seen last month
  • Open all the topics and record the list of users
  • Profit??? Probably not…