Is it a security violation to show a directory of users?

That is what I have been meaning to speak about in regards to private profiles.

Either I have to completely shut off my community (private) or have restricted categories, BUT ergo, Discourse considers the latter set up ‘public’ and thus other items (such as profiles, user activity listed elsewhere or not confusing things) are still technically ‘public’ and now open for every visitor or random passerby to gawk at.

At least with SMF I could fine-tune those things so I could have some in-between state. I could have public topics/categories to whet visitor’s appetites while keeping the rest of the forum (and profiles, et al) secure.

This in-between state could also allow me to have a public category for a top-level domain blog and allow visitors to interact with blog comments via Discourse. Can’t have that with Discourse if it means giving up privacy for my userbase with their profiles and other activity, or hints of it.

EDIT: To round this to the current topic, I will say that having privacy built into the new user directory would be moot for my ‘usual/old’ set up described above. In fact, I would highly welcome all the activity front and center for public view, especially if someone registers an account to use the front-end blog and eventually apply for the actual community (which is private). That way they can see who is active, and who they can possibly PM to ask questions. With the profile privacy feature idea, clicking to a profile yields a login wall for a guest. That is fine. When they actually sign up is when they would see profiles and then they can slowly go through the motions of applying to become a member of the private community.

But closing off the entire thing like some ivory tower wouldn’t allow me to use Discourse in conjunction with a public blog. Nor would I be able to show bits and pieces of the private community with topics and member profiles once they take the plunge and log in to explore more. If it isn’t for them, they simply don’t post and delete their account or just never log in.

1 Like