Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix event attendees list display #165

Closed
wants to merge 1 commit into from
Closed

Fix event attendees list display #165

wants to merge 1 commit into from

Conversation

SergejPanov
Copy link

@SergejPanov SergejPanov commented Nov 18, 2023
edited
Loading

Fixed the bug, due to which list of conf attendees was not displayed

Fixes #168

@ChaelCodes
Copy link
Owner

Thanks for the PR! This project takes privacy very seriously, so we don't want to share event attendance unless the viewer is a friend or buddy. Which is why @event_attendees has a limited scope.

https://github.com/ChaelCodes/ConfBuddies/blob/main/app/controllers/events_controller.rb#L16-L20

This PR would allow anyone to see all attendees.

That said, I think there's a lot of room for improvement here.

  1. This should probably be a Pundit scope instead of a query.
  2. We should let the user know why they're not seeing any attendees there. (No profile or no friends)
  3. Public attendees should show up.
  4. Friends should be listed before public attendees (or maybe instead of? or maybe an indicator for friends?)

By the way, thank you very much for the issues. That's some great feedback around usability.

@SergejPanov
Copy link
Author

Hi @ChaelCodes ,

The main usability issue is that the only way to become someone's friend is to click a button on a profile page. The only way to enter the profile page is from the list of attendees. If you don't see attendees, which are not friends, you will never be able to become friend with anyone. Then there should be another way to send a friendship request: maybe some sort of profile search functionality. What do you think?

@ChaelCodes
Copy link
Owner

Hi @ChaelCodes ,

The main usability issue is that the only way to become someone's friend is to click a button on a profile page. The only way to enter the profile page is from the list of attendees. If you don't see attendees, which are not friends, you will never be able to become friend with anyone. Then there should be another way to send a friendship request: maybe some sort of profile search functionality. What do you think?

Hey! This issue has recently been resolved by allowing users to view profile names and handles of profiles they don't have access to view. I agree that some form of search would be fantastic, but for now, the handle can be used at /profiles/handle to access the page.

I'm closing this PR, because the recommendation - using @event.event_attendees instead of @event_attendees - opens up a security vulnerability in the system where user's profile visibility preferences aren't respected.

Thank you for your contribution! I appreciate you raising the issues for discussion.

@ChaelCodes ChaelCodes closed this Feb 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

List of conf attendees is not displayed on the event display page
2 participants
@SergejPanov @ChaelCodes