Is it a security violation to show a directory of users?

I agree 100% with that which goes back to @codinghorror’s contention that it’s too early to call up the concept that a high percentage of communities running on Discourse have a predisposition to react in a profoundly negative way to the user directory’s features that warrants a hard coded switch in the admin CP to turn it off.

My initial response aligns with Design To Thrive’s methods of keeping elder members for longer. Those who equal to higher trust levels on a Discourse-run community and maintain that position by creating original content and/or engaging the other users in a way that should be exemplified in a constructive manner. Everyone wants a little attention for their efforts. Using the in-system metrics to show that is something worth exploring which is why I am initially positive to the user directory and its presentation.

I guess Badges and Trust Levels do that to some extent.
Though with not having Signatures another “perk” would be nice.

Consider this: someone who hired him now has his customer list.

I’m coming to agree that a user directory is bad for some usages.

1 Like

so they can go ahead and hide it from the UI with 1 CSS rule?


Yeah, but they already have that by virtue of seeing other people post. If someone posts, they are a customer, and you can see them posting.

Not if your clients post in a client-only private category. :sunglasses:

Yeah but someone who posts only in a private category would not show up in these stats, would they @eviltrout? I would say you need at least one post in a public category to be included in the users list.

1 Like

Oy - now the Users page is actually just an Active Users page? I would hope it’s title matches…

I’d rather it just be all users, and be called Users.

Well, that’s boring – I don’t care if you are a member if you never posted. What’s the point? Like a high school yearbook that shows pictures of people who never attended a day of class?

Not all communities exist only within Discourse. And some communities are new users of Discourse with a large existing user base.

Fine, but that is not the design function of this page.

The reason is indeed this:



Hmm. So, what actually is the design function of the “user directory” then, if not to be a directory of users of the site?

I have the alternative use case:

  • Some public categories:

  • for users to introduce themselves to the community (“Newbies” category")

  • public “Events” categories.

  • Some users get to by-pass posting in the “Newbies” category if introduced by a member of the community.

  • Large number of non-public categories which contain the majority of content.

  • Would still like the “Users Directory” to display non-public activity as this community is “effectively public”, just with a optional staging area for users as a gateway to the private categories.

  • The larger community / activity exists in “private categories” - but the community very much sees this as public.


Yes, it does not count activity from restricted categories.

For me excluding restricted category content does not provide an accurate user directory view.

In same as removing the restricted category counts from the totals on the about page would.

Would posts from “Lounge” not be counted?

Yes it’s a restricted category. I understand the argument, but it would be very inefficient to query a version of the user directory based on who is looking at it.

That wasn’t what I was thinking.

Perhaps the notion of a “public” or “private” forum / discourse instance…

For me the existence of a users activity on a public forum instance should display publicly - there is no issue in displaying a count of posts a user has made in the “Lounge”. If these counts do not include content from “restricted categories” my users will see the user directory as very broken.

For @Sander78 however displaying / including counts from “restricted categories” rises a privacy issue and I would consider his forum instance as “private”. Actually for him I would see the trust(1) level(2) pages(3) as a further issue in terms of revealing who is using his forum privately.

1 Like

I disagree. I feel that most users would see counts of their private activity (ie restricted categories) to be a privacy issue. You can imagine someone watching their directory and saying “oh wow you can see them posting a lot of restricted stuff!”

It seems much safer just to exclude it.

The issue I have is that ~90% of user activity occurs in “restricted categories” and I would like that to be seen in the Users Directory.

In my case users would say “where are my posts - I’ve posted - but my posts included in the count”.