TAN-7396 - Remove enhanced user privacy FF#13594
Conversation
|
jamesspeake
changed the title
sebastienhoorens
left a comment
sebastienhoorens
left a comment
There was a problem hiding this comment.
All good, always nice to see code getting removed.
Just checking that it's acceptable that existing user profile links might no longer work. What happens when following such a profile with slug link? Do you see a generic 404 page? Mentions of users, like @jamesspeake, will still work I guess as they use user IDs?
I don't think there's any concern around security? You could reason that by exposing the user IDs in the URLs the user IDs are now a slightly more discoverable target to try to get private user information (trying direct API calls, SQL injections...), but I suppose it was alway possible to figure out the user IDs.
| self.class.enhanced_user_profile_privacy? && id ? id : super | ||
| end | ||
|
|
||
| def show_public_profile? |
There was a problem hiding this comment.
So now we always want to hide profiles of users who didn't participate publicly? I guess it's really an edge case, but a user could post something, share their profile and then remove that post.
|
|
||
| attribute :initiating_user_slug do |object| | ||
| object.initiating_user&.slug | ||
| attribute :initiating_user_id do |object| |
There was a problem hiding this comment.
Nit: All these could potentially just move to the top as attribute :initiating_user_id
# Conflicts: # front/app/components/admin/ModeratorList/ModeratorListRow.test.tsx # front/app/components/admin/UsersTable/NameAvatarEmail.tsx
Just checked this and I think I'll need to also restrict that endpoint as any user can be found this way regardless of whether they have posted anything publicly. Also it appears to be broken on production - mentioned users appear as @b94bde59-a88b-4954-88c5-8c52499c1448 which I guess is not what we want |
3 participants
NOTE:
Changelog
Changed