search

ChaelCodes / MeetAnotherDay

An app to help you find and meet up with your friends at conferences.
MIT License
35 stars 20 forks source link

Fix event attendees list display #165

Closed SergejPanov closed 6 months ago

SergejPanov commented 9 months ago

Fixed the bug, due to which list of conf attendees was not displayed

Fixes ChaelCodes/ConfBuddies#168

ChaelCodes commented 9 months ago

Thanks for the PR! This project takes privacy very seriously, so we don't want to share event attendance unless the viewer is a friend or buddy. Which is why @event_attendees has a limited scope.

https://github.com/ChaelCodes/ConfBuddies/blob/main/app/controllers/events_controller.rb#L16-L20

This PR would allow anyone to see all attendees.

That said, I think there's a lot of room for improvement here.

  1. This should probably be a Pundit scope instead of a query.
  2. We should let the user know why they're not seeing any attendees there. (No profile or no friends)
  3. Public attendees should show up.
  4. Friends should be listed before public attendees (or maybe instead of? or maybe an indicator for friends?)

By the way, thank you very much for the issues. That's some great feedback around usability.

SergejPanov commented 9 months ago

Hi @ChaelCodes ,

The main usability issue is that the only way to become someone's friend is to click a button on a profile page. The only way to enter the profile page is from the list of attendees. If you don't see attendees, which are not friends, you will never be able to become friend with anyone. Then there should be another way to send a friendship request: maybe some sort of profile search functionality. What do you think?

ChaelCodes commented 6 months ago

Hi @ChaelCodes ,

The main usability issue is that the only way to become someone's friend is to click a button on a profile page. The only way to enter the profile page is from the list of attendees. If you don't see attendees, which are not friends, you will never be able to become friend with anyone. Then there should be another way to send a friendship request: maybe some sort of profile search functionality. What do you think?

Hey! This issue has recently been resolved by allowing users to view profile names and handles of profiles they don't have access to view. I agree that some form of search would be fantastic, but for now, the handle can be used at /profiles/handle to access the page.

I'm closing this PR, because the recommendation - using @event.event_attendees instead of @event_attendees - opens up a security vulnerability in the system where user's profile visibility preferences aren't respected.

Thank you for your contribution! I appreciate you raising the issues for discussion.