Restrict public viewing of user profile


(Daveyon Mayne) #1

If this can be done with little coding until Discourse wants to add it to their new release then great, but can this be done? Changes in red: (Typo: “users must be logged in…”)


(Mittineague) #2

I’m all for this. We got a lot of what I call “Profile self-SPAMers” at vB i.e. join to put a link (or even only a non-link URL) and often a spiel in their Profile, then never participate in the forum. And the practice is continuing at Discourse.

Even though the vB Profiles were viewable only to those logged in (and no search bots could log in) that fact didn’t stop them from doing it. So I doubt if it would stop them at Discourse either.

But it might reduce it some.

Ideally such accounts would be auto-pruned after an arbitrary amount of time.


(Daveyon Mayne) #3

@Mittineague I see where you are coming from. I was a vB admin but got to hate it. My reason is a bit different. I will have special users on my website (well…upcoming website) with private profile so I want to restrict non-members to view their profile without first being a member. The aim to get many registration.


(Mittineague) #4

So making tha ability to see registered members’ Profiles an incentive for anons to register?
I’ve never thought of Profiles that way, but I guess they are Content after all.


(Daveyon Mayne) #5

The forum I want will have details of IT Guys so to see their details… at least be a member first. :wink:


(Jeff Atwood) #6

Just for the record, /users/ is a disallowed path in robots.txt by default, so no user pages will ever be indexed by web crawlers.


(Mittineague) #7

[quote=“codinghorror, post:6, topic:21098, full:true”]
Just for the record, /users/ is a disallowed path in robots.txt by default, so no user pages will ever be indexed by web crawlers.
[/quote] – as long as they are crawlers that don’t ignore the robots.txt instructions.

Not exactly the same as"no" “ever” but close enough I guess.
And now that email addresses are no longer available from Profiles there isn’t much incentive to ignore the robots.txt that I can think of.


(Daveyon Mayne) #8

So to my first question, can this be done or not? Or even to restrict the uploading of profile pictures or prevent non members from viewing the profile pictures. Those pictures can act as business cards.


(Mittineague) #9

new members can’t upload pictures - they find that out when they try, but it doesn’t take much to get to the basic Trust Level,
I haven’t explored the Admin settings pages lately, or ever to any great extent, but IIRC at least the Trust Level requirements cat be set to other than the default.


(Joe Seyfried) #10

Sorry to revive this, but the very same request has surfaced in our community. Are there any plans to implement this? Additionally, the /users page is visible to anonymous visitors (though not crawlers, but anyway) plus all the badges pages reveal a somehow complete list of discourse users, even if you do not have an account.


(Kane York) #11

What’s your concern with allowing anon viewing? Or was it stated above?


(Joe Seyfried) #12

The concern in my community is that there is no option to restrict the “last post” or “joined” dates. Especially the first one can be a bit problematic - in our old forum software, one could choose to hide one’s online presence. Now, everyone can check when I last posted something online - even without registering.


(Jeff Atwood) #13

Do you mean “last visit date”? Your last post is always a public artifact unless your last post was in a PM.


(Joe Seyfried) #14

Sure - actually both. „Last seen“ and „last post“. Of course you can search for the user’s posts - but for privacy-oriented communities, it would be nice to either restrict visibility of the user details. Either site-wide, or maybe on a per-user basis like “I want to share my details [ ] with everyone [ ] registered users only [ ] no one”. So you present yourself either like this:

…or that:

If you post something, it’s clear that this is visible (unless you post in a hidden category). But if you only browse the site, we find it questionable that this data should be world-readable without a possibility to prevent it.


(Joe Seyfried) #15

Uhm… I was just trying to put something together, but am stuck here: Why can’t I do this:


<script>
  Discourse.User.reopen({
    last_seen_at: function() {
        /* do clever stuff based on whether or not we're anonymous */
    }.property(),
  });
 </script>

…that doesn’t seem to get called at all. Any hints for the clueless?


(Kane York) #16

It probably gets overridden by the actual data.


(Joe Seyfried) #17

Um… and who overwrites it with actual data? I didn’t really find out - I guess it’s coming somewhere from the underlying RestModel?


(Kane York) #18

Due to the prototypical inheritance system, if the object has a property last_seen_at (the date) and its prototype (here, the class definition) has a property last_seen_at (your function), the object’s property gets used first.


(Simon Cossar) #19

If there was some sort of ‘logged-in’ class added to the body it would be easy to do with css.


(Logan Mathews) #20

Those who are overly concerned with privacy and hiding a user’s recent activity are unlikely to settle for a CSS solution. It’d be simple to to just look into the source of the page and pull the data out for a specific user. CSS is never a tool to provide security or privacy.