New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User#show not visible #331
Comments
I'd tend toward having public profiles, with group memberships and content |
I would say that we would only want profiles visible to logged-in users. The potential for unwanted search engine attention and malicious scraping is substantial and I think most folks would expect that their name and email would only be visible to other users of the system. |
Thats a good point, we should limit exposure of PII. We could expose first name, last initial, and no email to public users, for public Concerto instances |
Related issues were also brought up in #78 and #97 - where @bamnet brought up the issue of a public user needing to contact a screen, feed, or group owner. I think we have 3 options here:
|
I don't think we need to show an email address publicly, that's a bad idea. What do we risk by showing a list of all the public content (aka approved) that Brian Zaik has uploaded on the Brian Zaik page, his name is already publicly associated with the content on content#show. |
So now we've mostly sorted permissions for the Users controller. But the users#show page is not yet publicly accessible. To make the Users page public, the user should a) have public content in the system and b) the system should be set to public mode (via the ConcertoConfig param). In that event, we should show the user's page with their name the their content - but not their email. |
Let me try my hand at the ability.rb work this will need. |
I made a quick pass at this, how does it look now? |
Looks solid, but let's just omit the email entirely if the user isn't logged in. Having a working mailto link with the ellipsis will just confuse people. |
Done. The rest of the app needs to be scrubbed to match this. Will open another ticket. |
When I see that "Regular User" uploaded a piece of content like http://nightly.concerto-signage.org/feeds/1/submissions/10 I would like to click on their name and see other content that they've uploaded.
Currently user#show is not accessible to users that aren't logged in. Should users have a publicly accessible show page or should we prevent those links from being clickable?
The text was updated successfully, but these errors were encountered: