8 Replies Latest reply on Dec 18, 2007 9:51 AM by RobAlexander

    Clearspace X  functional bug - User Browser and Picker

      Hi,  I m a prospective client and in few mins of usage, I spotted a bug in your software.

       

       

       

      If you create private communities and private sub communities;  revoke all global permission for everyone except registered users; create some groups and assign them selectively to these communities and sub-communities; login as a user who is a member of one of these groups; you can work perectly fine in that particular community but you can still see the entire users through user picker and through user browser along with their profiles ( Only email and some other attributes are hidden).

       

      This is a problem in a private closed environment where that user can make an intelligent guess of their emails and get other personal information. Ideally, the users should only be able to see other users credentials if they belong to the same group.

        • Re: Clearspace X  functional bug - User Browser and Picker

          hi vsingh77,

           

          This is a problem in a private closed environment where that user can make an intelligent guess of their emails and get other personal information.

          If you have a private closed environment and you only want certain people in that environment, why not limit registration so that you don't get these lurkers?

           

          Just out of curiosity, where we you planning on using Clearspace? Internal to your organization (thus inside the firewall) or as an external community?

           

          Cheers,

           

          AJ

            • Re: Clearspace X  functional bug - User Browser and Picker

              These "lurkers" are a necessary evil for us. We plan to use it as an external community.

                • Re: Clearspace X  functional bug - User Browser and Picker

                  Are there going to be public / non private spaces as well that the lurkers are going to participate in? And if so, I'm guessing the people that participate in the private groups will also participate in the public groups, which means their usernames are going to get out there anyway, right?   So the problem isn't really the /people page as much as it is the fact that you have users who are registering with usernames that are guessable?

                   

                  Cheers,

                   

                  AJ

                    • Re: Clearspace X  functional bug - User Browser and Picker

                       

                      Yes, there is going to be public access. Guessing email is one problem, seeing the profile of a user is a very important thing. That user could easily see the credentials of other users and might get a good knowledge on how the whole organization has been carved out. Lot of BI would be revealed which is the core to our business. This information is valuable to us, that no one should be able to get an idea of what other people are doing in a private community.  Hope it make things clear.

                       

                       

                       

                       

                       

                       

                       

                       

                      BTW,  We are gong to be using a task tracking software along with the wiki which kind of makes it important for us to use LDAP. so using an other authentication is not a resolution to our problem. Also having different email addresses does not solve purpose since that is  also derived from LDAP.

                       

                       

                        • Re: Clearspace X  functional bug - User Browser and Picker

                          hi vsingh77,

                           

                          Yes, there is going to be public access. Guessing email is one problem, seeing the profile of a user is a very important thing. That user could easily see the credentials of other users and might get a good knowledge on how the whole organization has been carved out. Lot of BI would be revealed which is the core to our business. This information is valuable to us, that no one should be able to get an idea of what other people are doing in a private community. Hope it make things clear.

                          That helps a lot. Thanks! It sounds like then what you'll want to do is customize the user profile page (very easy to do with a global theme) which is located at:

                          /template/global/view-profile.ftl

                          and add some code that only shows the sensitive credentials if the current user is one of our internal users. You can create a theme by going to the admin console --> system --> settings --> themes.

                           

                          Also, just so we're clear: if user 'a' is participating in a private community and creates a bunch of documents and threads in that private community and then user 'b' (who doesn't have permission to view the private community) comes along and views the profile of user 'a', user 'b' will not see any of the documents / threads that user 'a' has created in that private community, so if you're talking about BI that's created in the space, there's no way for that to leak out of the space.

                           

                          I'd be happy to help here if you want to go down the route of creating a custom theme or you can work with our Professional Services team to customize the user profile view even more.

                           

                          Cheers,

                           

                          AJ

                        • Re: Clearspace X  functional bug - User Browser and Picker

                           

                          What is your concept of a true external community? Who are you trying to actually target here? Is it open source or non profits where it may not be that significant a problem revealing information like user profiles, expertise, location etc. But for some industries like financial, law firms and insurance every piece of information is priceless. What if these guys were traders for a brokerage firm? Or employees of law firms or insurance companies. I dont think it is a good idea even to reveal the hobbies and interests forget about  usernames. The user  personal information to me is priceless Business intelligence that must be concelead from even the internal groups as well as the guest who are allowed access or our clients. I dont mean it the bad way but I think there should have been a little more background work done as who else can be your potential clients rather than who is or who are requested you Clearspace X.  Most of the solutions that I have got from Jive are not even close to a quick dirty fix. Having said that I still think Clearspace is an awesome software for internal collaboration but modelling Clearspace X or rather just tweaking it to suit only that matter to you for now is probably an approach Jive needs to rethink.