Member Directory: Disable access to profiles
Several of my clients have multiple directories on their sites. On certain directories (not all), they would like to be able to prevent visitors from clicking on an entry to view the member details/profile screen. On other directories they do want visitors to be able to click through.
It would be nice if there was a simple checkbox on the Edit Settings screen for directories that could be checked to turn off/on the link to the profile screen for all entries in a particular directory.
Kim
-
Evgeny Zaritovskiy commented
The problem is that public member profile (the one that opens by the link) can be accessed by direct link and the link is the same from different directories. So we can potentially disable the link, but this will not close the "security/privacy" issue you're speaking about.
Member determines what to show in his profile using privacy options. There are default privacy options that admin determines and they used by new members, but any member can change them for himself. So strictly speaking there is no privacy or security issues here - each member has an access on over information he wants to show to outside world.
Joined the thread into existing one
-
BobHastings commented
The member directory gadget creates a link to the member profile by clicking on the first field in column 1 of the member directory (typically set up as last name, first name). This provides a second level of detail about the member that is not shown in the member directory. This exposes detailed member info - a potential security issue. How do I eliminate this link to the member profile? I must prevent the general public from seeing any info about the member except what I choose to display in the member directory itself. The member profile contains data that is only used by certain administrators and must be protected from view by non-authorized members or non-members. Setting the individual fields to Private prevents them from being used in other types of member directories where they ARE needed and is not a good solution. The link itself in the member directory must be turned off. I found a thread on the forum that suggested a piece of code but it does not seem to work in version 5. Help!! The member directory gadget reveals too much information to the general public.
-
Evgeny Zaritovskiy commented
Thinking loud... What if instead of a single "Members" other access setting we have 2: "All members" and "Members of your level only".
First one - "All levels" - works the very same way as now, meaning that if a user is logged in and he has membership active, then he is able to see the field in your profile
Second one - "Members of your level only" - would allow to see this field in your profile only for members in the same level as your own.
This set up can resolve the very initial problem - Members and Organizations. Two levels can have 2 separate set of fields, and each of these fields would have "Members of your level only" other access option. In this case, members, even if logged in, will not be able to see organizations fields.
OR
we should redesign our member privacy options page and fields setup options and make them more robust and per level rather then global for all.
-
Daniel (Dan) Page commented
Jim,
I having trouble implementing this code.
I have put it in the global section, but cannot it get it to work.
Can you help me please?
Thanks,
Dan Page
-
Dennis commented
I have just run into this issue with my client. They have individual members and organizational members. They do not want to display any personal information for the individual member listing, but do want contact details for organizational members.
I would have been great if I could just turn off access to the profiles with a simple check box. I can still include the minimum info that they want to display for individual members by what I select to display in the listing columns.
Without this feature I have to export all individual members, set the permissions for their contact information in Excel, then import. And then I have to change the permissions on fields for all new individual memberships. That's 30+ minutes of work and plenty of opportunities for human error.
This could be one of those sleeper features that folks don't bring up much, but would like to have.
Thanks - Dennis
p.s. - I used the script posted earlier and it worked - the member names look like links but the link goes nowhere.
-
Evgeny Zaritovskiy commented
I like suggestion about 2 options - just directory listing without access to profile or listing with access to profile.
But I would like to here comments from other people here as I'm not sure if this is a right move for all clients.
-
Kim Skimmons commented
Another alternative approach might be to alter the Privacy tab (in the Member Profile) so that there are two checkboxes in the Profile Access section instead of the one that is there now:
Just a thought... Thanks.
Kim
-
Fluid Apricot commented
Sounds interesting. In the meantime you can use the following script to prevent the directory from accessing the profile:
<script type="text/javascript">
function checkMemberTable()
{
var membersTable = document.getElementById('membersTable');
if (membersTable)
{
trs=membersTable.getElementsByTagName('tr');
for (i=0; i<trs.length; i++)
{
trs[i].setAttribute('onclick', '');
as=trs[i].getElementsByTagName('a');
for (j=0; j<as.length; j++)
{
if (as[j].href.indexOf('MemberPublicProfile.aspx')>0)
{
as[j].setAttribute('onclick', 'return false;');
as[j].setAttribute("href", "#");
}
}
}
}
setTimeout(checkMemberTable, 500);
}
checkMemberTable();</script>
-
Kim Skimmons commented
Sure. Here's an example. A non-profit organization relies on corporate sponsors and needs a Sponsors page where all their sponsors are recognized. They used to simply use an ordinary content page onto which they uploaded a logo for each sponsor, but there was a maintenance issue as sponsors come and go -- they would forget to update the page -- and also there wasn't a good way to retain the sponsor's contact information in the database. So they decided to have each Sponsor in the membership database as a special type of member. That way they could capture all the information about the Sponsor that they want and they could always be sure that the Sponsor directory was up-to-date.
So the organization creates two membership levels:
Member (a human member of the organization) -- collect a full range of data on membership application: Contact Person's First Name, Contact Person's Last Name, address info, and lots of other member-specific information.
Sponsor (a financial supporter, usually a corporation) -- collect less data on membership application: Business Name, Logo, Contact Person's First Name, Contact Person's Last Name, Contact Person's Phone, mailing address info, Website URL
They have two membership directories on the site: one for Members and a second for Sponsors. The Sponsors directory is for public display. The member directory may be public or private -- doesn't matter. However, for the Sponsors directory, they really only want to show the directory page (and not the Profile page) for two reasons. 1) All the relevant information that they need to show the pubic appears in the directory listing: Business Name, Website URL, and Logo. There's nothing additional to be gained by going to the Profile page for the Sponsor. 2) They do not want people to be able to click into the Profile for each sponsor and see the contact person's name, address, email, phone, etc.because this information, for Sponsors (not for Members), is for administrative use only and they certainly do not want their sponsors being solicited by people who find them in this Directory.
The Member directory is different. On the Member directory, all the Members (humans) are displayed -- no Sponsors here. They do want visitors or other members to be able to click through to a Member's profile and see things like Contact Person's Name, address, phone number, email etc. because these fields are not admin-only for Members as they are for Sponsors.
When setting up the database fields, the default access level can be setup as either Anyone, Members Only, or No Access (admin only). The problem is that whatever setting you choose for a given field applies to all membership levels that use that field. So for a given field (e.g., Last Name), you can't set one level of access for Membership Level A and a different level of access for Membership Level B. Furthermore, field-level privacy can be set for individual membership records (via the Profile screen), but not for an entire groups/level of members which becomes a maintenance issue to remember to always manually change the field access levels each time a new member of a certain type is added. (I hope that makes sense.)
So a good (quick) solution would be to disable the ability to link through to the Profile page for certain directories or have a new type of functional page that is just a Simple Directory Listing.
A longer-term enhancement might be to implement membership-level-based field access settings so that a setting could apply to "anyone (contacts and members)", "all membership levels (not contacts)", or "specific membership levels (check all that apply)" and you could have different access settings for the same field depending on the Membership Level. But that seems hard to do and I'm not entirely sure that it's necessary. ~:)
Kim
-
Dmitry Buterin commented
Kim,
Can you elaborate on the reasoning behind this?