Restrict public viewing of user profile

Just for the record, /users/ is a disallowed path in robots.txt by default, so no user pages will ever be indexed by web crawlers.

[quote=“codinghorror, post:6, topic:21098, full:true”]
Just for the record, /users/ is a disallowed path in robots.txt by default, so no user pages will ever be indexed by web crawlers.
[/quote] – as long as they are crawlers that don’t ignore the robots.txt instructions.

Not exactly the same as"no" “ever” but close enough I guess.
And now that email addresses are no longer available from Profiles there isn’t much incentive to ignore the robots.txt that I can think of.

So to my first question, can this be done or not? Or even to restrict the uploading of profile pictures or prevent non members from viewing the profile pictures. Those pictures can act as business cards.

new members can’t upload pictures - they find that out when they try, but it doesn’t take much to get to the basic Trust Level,
I haven’t explored the Admin settings pages lately, or ever to any great extent, but IIRC at least the Trust Level requirements cat be set to other than the default.

Sorry to revive this, but the very same request has surfaced in our community. Are there any plans to implement this? Additionally, the /users page is visible to anonymous visitors (though not crawlers, but anyway) plus all the badges pages reveal a somehow complete list of discourse users, even if you do not have an account.

What’s your concern with allowing anon viewing? Or was it stated above?

The concern in my community is that there is no option to restrict the “last post” or “joined” dates. Especially the first one can be a bit problematic - in our old forum software, one could choose to hide one’s online presence. Now, everyone can check when I last posted something online - even without registering.

Do you mean “last visit date”? Your last post is always a public artifact unless your last post was in a PM.

Sure - actually both. „Last seen“ and „last post“. Of course you can search for the user’s posts - but for privacy-oriented communities, it would be nice to either restrict visibility of the user details. Either site-wide, or maybe on a per-user basis like “I want to share my details with everyone registered users only no one”. So you present yourself either like this:

…or that:

If you post something, it’s clear that this is visible (unless you post in a hidden category). But if you only browse the site, we find it questionable that this data should be world-readable without a possibility to prevent it.

Uhm… I was just trying to put something together, but am stuck here: Why can’t I do this:


<script>
  Discourse.User.reopen({
    last_seen_at: function() {
        /* do clever stuff based on whether or not we're anonymous */
    }.property(),
  });
 </script>

…that doesn’t seem to get called at all. Any hints for the clueless?

It probably gets overridden by the actual data.

Um… and who overwrites it with actual data? I didn’t really find out - I guess it’s coming somewhere from the underlying RestModel?

Due to the prototypical inheritance system, if the object has a property last_seen_at (the date) and its prototype (here, the class definition) has a property last_seen_at (your function), the object’s property gets used first.

1 Like

If there was some sort of ‘logged-in’ class added to the body it would be easy to do with css.

Those who are overly concerned with privacy and hiding a user’s recent activity are unlikely to settle for a CSS solution. It’d be simple to to just look into the source of the page and pull the data out for a specific user. CSS is never a tool to provide security or privacy.

5 Likes

Understood. Now, I am trying to figure out a way out of this: I would like to have a better solution for hiding the last_seen_at than to re-include the whole user/user.hbs in a user script just to drop the model.last_seen_at line (if viewed by an anonymous user). Since last_seen_at is a property of the model object which I cannot really overwrite - I do not really see another way out, does anybody else?

That’s the solution I’d use. Granted, I’d be thinking about other tweaks and edits I’d want to do in the future and would figure that I may as well start now.

Related:

(Posting to say this has been requested before; I fully support this option to be in core.)

4 Likes

You can now use the “hide_user_profiles_from_public” site setting :grapes:

7 Likes