What about private groups?


(Tom Spilman) #1

We have a Discourse site which includes lots of public discussion, but we also have some categories where we discuss private NDA’d materials.

The category itself seems fine… people trying to access it without permission are rejected.

The issue is that the group we use to secure that category is visible to everyone. People outside that group can not only see that the group exisits, but also see the members of the group.

It seems to me that groups need as much privacy as categories do.


(Jeff Atwood) #2

Where can they see the group? Can you provide a screenshot or other information?


(Tom Spilman) #3

The main place is when visiting someone’s profile page. It shows the groups they belong to.

Also simply just entering the URL…

http://forums.mysite.com/groups/guess_a_group_name/

Works when it should reject the user just like it does for private categories.


(Patrick Klug) #4

AFAIK, this only shows public posts of users in that group, not actual posts within the group.
But anyway, I would also like to be able to hide a group from the group list.


(Sam Saffron) #5

I just retested and there is not information leak on the groups page. Only thing leaking out is the cast list for a group (which is by design)

Open to adding a flag on Group that marks it as “only visible to admins”. PR welcome. (that could 404 the /groups page to non members and hide from user page)


(Tom Spilman) #6

Ideally a group could be completely invisible to anyone on the site that wasn’t a member of the group. If that is what you mean… i’m all for it.


(Tom Spilman) #7

Unfortunately my limited web development skills are in PHP/MySQL… so I can’t make a PR for this.

I guess we’ll have to move our private discussions to another solution… probably a mailing list (yuck!). We can’t have the group name or members be public as it would out unannounced projects/teams.


(Jeff Atwood) #8

Couldn’t you give the projects generic or code names? E.g. “Project Fluffy”?


(Tom Spilman) #9

I could, but it would be sort of weird as its not our product to rename like that.


(Walter Stabosz) #10

@codinghorror I agree with @tomspilman about the desire to have the names/existence of private groups hidden from non-members. I’d like to use Discourse to communicate between multiple clients, but I don’t want the clients to know of each other. I considered code names, but I could see things getting messy if we have 20 clients and they see a category list with all sorts of cryptic names, not to mention the difficultly for us to remember which code name maps to which client:


(Tom Spilman) #11

I forgot to reply here.

@eviltrout fixed this for us already. You now have a “Group is visible to all users” checkbox in the group settings. If you uncheck this then the group is only visible to members.

This solved the issue for us. Give it a try… does it work for your case?


(Walter Stabosz) #12

I’ve yet to set up a Discourse instance, I’m still in the research phase. But this was one of concerns and it sounds like it’s been addressed.

Update: Works great!


(Daniela) #13