User#show not visible

[bamnet]

When I see that "Regular User" uploaded a piece of content like http://nightly.concerto-signage.org/feeds/1/submissions/10 I would like to click on their name and see other content that they've uploaded.

Currently user#show is not accessible to users that aren't logged in. Should users have a publicly accessible show page or should we prevent those links from being clickable?

[zr2d2]

I'd tend toward having public profiles, with group memberships and content
listed. I really don't know what wouldn't be publicly accessable.

[augustf]

I would say that we would only want profiles visible to logged-in users. The potential for unwanted search engine attention and malicious scraping is substantial and I think most folks would expect that their name and email would only be visible to other users of the system.

[zr2d2]

Thats a good point, we should limit exposure of PII. We could expose first name, last initial, and no email to public users, for public Concerto instances

[augustf]

Related issues were also brought up in #78 and #97 - where @bamnet brought up the issue of a public user needing to contact a screen, feed, or group owner. I think we have 3 options here:

1. Make this totally configurable - with a flag that either shows/hides users' personal information, redacts it as @zr2d2 suggests, or even closes it up entirely (as in [2])

2. Totally close user pages to public users. If they had a legitimate inquiry about a system entity, they would have a login.

3. Show the user page, but without any identifying information and allow public users to contact the person via the email notification system.

[bamnet]

I don't think we need to show an email address publicly, that's a bad idea. What do we risk by showing a list of all the public content (aka approved) that Brian Zaik has uploaded on the Brian Zaik page, his name is already publicly associated with the content on content#show.

[augustf]

So now we've mostly sorted permissions for the Users controller. But the users#show page is not yet publicly accessible. To make the Users page public, the user should a) have public content in the system and b) the system should be set to public mode (via the ConcertoConfig param). In that event, we should show the user's page with their name the their content - but not their email.

[bamnet]

Let me try my hand at the ability.rb work this will need.

[bamnet]

I made a quick pass at this, how does it look now?

[augustf]

Looks solid, but let's just omit the email entirely if the user isn't logged in. Having a working mailto link with the ellipsis will just confuse people.

[bamnet]

Done. The rest of the app needs to be scrubbed to match this. Will open another ticket.