Is there any possibility, that only Members can view the personal Profiles?


(Johannes Eck) #1

Hello Members,

I would like to avoid, that anyone in the “www” can read and visit my members profiles.

Is it possible, that everyone can read in the forum, but if you want wo visit a profile you have to log in and create an account?

Thanks in advance
Johannes


Restrict public viewing of user profile
Is it a security violation to show a directory of users?
(Jens) #2

I like this one. Could be an optional setting, like “Show user profiles only to logged in users” in /admin/site_settings/category/users or /admin/site_settings/category/security


(Jeff Atwood) #3

Can you elaborate why this is necessary? What is secret about the users?

If you need the site to be private, switch the whole site to private.


#4

I think installs that have custom user profile fields, some of which could be personal, would benefit from this. Admin may want the discussion to be public and accessible while keeping user profiles slightly more protected.

In fact, this may be an area where additional privacy around “real names” might be valuable. I could envision fora where members talking to other members would want to see real names, but where those names would want to be hidden from the non-registered public and search engines.

I don’t know what Johannes’ use case is, but it sounds like a useful suggestion to me.


(Barbie) #5

The site I moderate is a mental health forum. The members may not want it splashed all over the internet that they are diagnosed with schizophrenia etc. as may be noted in their profiles.


(mountain) #6

Anything can be secret. This is a feature I see on any kind of site that has a userbase, forum or otherwise.

I would instead suggest that this be a per-user option. Some may wish to have their profile not available. Some may wish to have it open. For instance, a few roleplay sites I go to have this option, and even have the option of excluding my profile from google (no index, no follow, ect) while still technically making it viewable to the public. This is because I feel, as a single person, I would like to exclude the rest of the world from what I’m doing on a single site. In my case, I would rather share my stories with those who have accounts. For the ‘exclude from google searches’, that allows me to send a link to my profile and let others view when I wish. Of course, if someone really wanted to find it, they might be able to. These deterrents are for those casual, random eyes (i.e., the world).

Other uses include any sensitive information on the profile as dictated by the forum’s topic as @ZeroFlux and @Barbie explained above.

Here is a sample from the RP site I go to:


(Scott Trager) #7

Even if you do it per-user you still need to be able to configure a default.

If you set it per-user, you might also think about linking it to the trust levels so you could disable it for TL0s so they couldn’t add spam to their profiles (Bonus feature)


(Michael Downey) #8

Seems like there are two scenarios:

  1. The site is public, and posts about sensitive material are already associated with the users’ profiles, because those profiles are listed on the topic pages, regardless of whether their user profile page is public.
  2. The site is private, and neither topics nor users are visible anyway.

Am I missing something in between?


(Jeff Atwood) #9

That is generally why they would be using an anonymous username like “harry146”, isn’t it?


(mountain) #10

If no one wants to use the example of a medical forum, they are free to use mine, which is in regards to personalized content and discussion I don’t want the average web user to see, or google for that matter.

Yes, you can say ‘anything on the net isn’t completely private’. I agree with that. Doesn’t mean I can’t have some protection. Same reason these general options exist, such as no index, no follow, ect. Completely closing the forum like an ivory tower just to hide profiles is like hitting a fly with a bazooka. I know I’ve said that before here elsewhere with another problem.


(Jeff Atwood) #11

Yeah but user pages are always excluded from crawlers via robots.txt by default since they are almost exclusively duplicate content (except for very small bits like the bio, location, etc).


(mountain) #12

If this is Discourse-related, I’ll believe you. However, if I do a vanity google search, I see sometimes my name comes up from forum profiles, which allows me to clean up any residual accounts I no longer use.

But I would like the option for each user to hide their profile from visitors. And as @strager mentioned, an admin setting can be the ‘default’ setting for all profiles, and leave it up to the individual to make that choice. This goes in hand with Discourse’s philosophy of a user owning their own content.If a user can download their forum presence (posts, ect), I’d like to think they can at least hide it from the random bot or visitor and let their profile (which has a list of their user activity) be for their fellow members. It’s only relevant to the forum members after all in the long run. If a user wants an outsider to see their forum history and the ‘link’ between their name and the specific posts, the user only needs to give the visitor a copy of ‘download all posts’ archive. That way, a user explicitly consents to people outside the forum seeing the association, or anything else for that matter (real name, location, any other custom fields, ect).


(Barbie) #13

I can’t disagree with you. The workings and ‘mind set’ of a forum are common to you. That is not true for all end users. I am new to forums and discourse. That is why I joined this forum to learn about discourse. Until I saw this thread I never questioned or thought about whether my profile was public or private. Not knowing forum etiquette I wrongly assumed that profiles were only accessible to other members of the forum.

Discourse being used by a mental health forum may come with it’s own set of complications. Our members are looking for a safe place to discuss their lives. They feel comfortable sharing with others who may be in the same situation however they are not going to want the whole world knowing the ‘annie32’ who replied to a post about anxiety that is searchable on google or whatever is diagnosed with bipolar with psychotic tendencies that she put in her profile. I don’t know if you can appreciate the delicacy of such a situation. You may find it ok that family members know that you are at the doctor for a personal health reason however you may not want everyone to know that personal reason is testicle cancer or herpes.

Maybe I’m wrong to ask that you consider the fact that not all end-users are as versed in forums as you are and that looking to their right to privacy as much as possible could be another ‘selling point’ for discourse :wink:


[Paid] Online Forum Presence and Pseudo-Chat
(Kane York) #14

Would it be appropriate to have the whole forum not indexed in Google, then? There’s a setting for that.


(mountain) #15

I think for some instances, it’s okay to have the messages google-indexed.

What matters is the association of a post (and other posts) with a single user. Clicking a user’s name to get to their forum history is the key thing there. As well as personal identifying information on the profile.

This is why some individuals who want to leave a forum ask the admin to rename their account, scrub the identity from it and reset the password. It becomes an anon and the individual’s identity isn’t compromised.

EDIT: I now realize that if my users can’t hide their profiles from the public, I’ll have to wait or find another forum software solution when I re-deploy my community. This was something my members expected, as one of my personal credos for the community were “You are safe here”. I’d have to explain the whole context behind this, and I doubt you all want to hear about Predator/Yautja fandom. Lets just say there’s a LOT of hate out there and my forum was the ‘safe’ place to have civilized discourse on the subject without being accused of being outright wrong for trying to be creative. And that included some privatization features, such as hiding profiles from the public.


(mountain) #16

Hey there. I am posting to see if there’s any sort of thought given by the developers to add this feature to core since my last post above.

I have explained elsewhere how private profiles can allow admins to have a sort of ‘in between’ private-public state that gives more flexibility for visitors to interact and sign up, but allow users and staff to allow visitors to ‘prove’ themselves this way to let them in on restricted categories.

I tried asking around for a developer who can code me a plugin for this but it went way over budget (of course no fault to them).

I feel this feature would help a mass plethora of instances other than my own.

cc: @codinghorror @sam


(Sam Saffron) #17

you do realize both Jeff and I read everything, all this does is works you into our mute list …


(mountain) #18

Silence does not tell me you read it, however. Silence tells me you both possibly didn’t see it, because I don’t automatically assume you both are ignoring feature requests that explain in detail possible ways it could benefit most other instances.

A large number on the user directory is irrelevant.

However, I do not make a case to cc-@mention people constantly. If I am on a mute list, then I understand the ramifications and take them.

But it doesn’t answer my initial question and the silence after the fact made it clear that I have no possible way of knowing you or Jeff read anything.

A simple ‘no’ will suffice.


(Mittineague) #19

Exactly … …,…


(mountain) #20

Haha, touche. Well. Maybe “We have decided not to implement this. It’s plugin material.”

Or “We are thinking about it.”