Is it a security violation to show a directory of users?

purldator · March 23, 2015, 10:20pm

I agree 100% with that which goes back to @codinghorror’s contention that it’s too early to call up the concept that a high percentage of communities running on Discourse have a predisposition to react in a profoundly negative way to the user directory’s features that warrants a hard coded switch in the admin CP to turn it off.

My initial response aligns with Design To Thrive’s methods of keeping elder members for longer. Those who equal to higher trust levels on a Discourse-run community and maintain that position by creating original content and/or engaging the other users in a way that should be exemplified in a constructive manner. Everyone wants a little attention for their efforts. Using the in-system metrics to show that is something worth exploring which is why I am initially positive to the user directory and its presentation.

Mittineague · March 23, 2015, 11:06pm

I guess Badges and Trust Levels do that to some extent.
Though with not having Signatures another “perk” would be nice.

riking · March 24, 2015, 12:06am

Consider this: someone who hired him now has his customer list.

I’m coming to agree that a user directory is bad for some usages.

sam · March 24, 2015, 12:06am

so they can go ahead and hide it from the UI with 1 CSS rule?

codinghorror · March 24, 2015, 12:39am

Yeah, but they already have that by virtue of seeing other people post. If someone posts, they are a customer, and you can see them posting.

downey · March 24, 2015, 4:39am

Not if your clients post in a client-only private category.

codinghorror · March 24, 2015, 4:44am

Yeah but someone who posts only in a private category would not show up in these stats, would they @eviltrout? I would say you need at least one post in a public category to be included in the users list.

watchmanmonitor · March 24, 2015, 4:52am

Oy - now the Users page is actually just an Active Users page? I would hope it’s title matches…

I’d rather it just be all users, and be called Users.

codinghorror · March 24, 2015, 4:57am

Well, that’s boring – I don’t care if you are a member if you never posted. What’s the point? Like a high school yearbook that shows pictures of people who never attended a day of class?

downey · March 24, 2015, 5:05am

Not all communities exist only within Discourse. And some communities are new users of Discourse with a large existing user base.

codinghorror · March 24, 2015, 5:06am

Fine, but that is not the design function of this page.

Sander78 · March 24, 2015, 7:08am

The reason is indeed this:

downey · March 24, 2015, 11:39am

and

Hmm. So, what actually is the design function of the “user directory” then, if not to be a directory of users of the site?

DeanMarkTaylor · March 24, 2015, 12:33pm

I have the alternative use case:

Some public categories:
for users to introduce themselves to the community (“Newbies” category")
public “Events” categories.
Some users get to by-pass posting in the “Newbies” category if introduced by a member of the community.
Large number of non-public categories which contain the majority of content.
Would still like the “Users Directory” to display non-public activity as this community is “effectively public”, just with a optional staging area for users as a gateway to the private categories.
The larger community / activity exists in “private categories” - but the community very much sees this as public.

eviltrout · March 24, 2015, 6:36pm

Yes, it does not count activity from restricted categories.

DeanMarkTaylor · March 25, 2015, 1:30am

For me excluding restricted category content does not provide an accurate user directory view.

In same as removing the restricted category counts from the totals on the about page would.

Would posts from “Lounge” not be counted?

eviltrout · March 25, 2015, 2:56pm

Yes it’s a restricted category. I understand the argument, but it would be very inefficient to query a version of the user directory based on who is looking at it.

DeanMarkTaylor · March 25, 2015, 3:40pm

That wasn’t what I was thinking.

Perhaps the notion of a “public” or “private” forum / discourse instance…

For me the existence of a users activity on a public forum instance should display publicly - there is no issue in displaying a count of posts a user has made in the “Lounge”. If these counts do not include content from “restricted categories” my users will see the user directory as very broken.

For @Sander78 however displaying / including counts from “restricted categories” rises a privacy issue and I would consider his forum instance as “private”. Actually for him I would see the trust(1) level(2) pages(3) as a further issue in terms of revealing who is using his forum privately.

eviltrout · March 25, 2015, 3:47pm

I disagree. I feel that most users would see counts of their private activity (ie restricted categories) to be a privacy issue. You can imagine someone watching their directory and saying “oh wow you can see them posting a lot of restricted stuff!”

It seems much safer just to exclude it.

DeanMarkTaylor · March 25, 2015, 4:07pm

The issue I have is that ~90% of user activity occurs in “restricted categories” and I would like that to be seen in the Users Directory.

In my case users would say “where are my posts - I’ve posted - but my posts included in the count”.