Changing default sort to recently online causes regular users to not see directory

[zerosonesfun]

Changing default sort to recently online causes regular users to not see directory (or list of users) and there's an oops something went wrong error. Nothing in Flarum logs, nothing in browser console.

[clarkwinkelmann]

"Recently online" sort has been removed from Flarum in beta 16, see #55 and https://github.com/flarum/core/issues/2519

I have not tested, but attempting to sort by that attribute should result in a 400 error from the REST API. It's possible this translates into a 500 error when attempting to apply it to a preloaded page.

It seems like we closed the previous issue without removing the sort option. We need to remove that option, at least for users without user.viewLastSeenAt permission. It's probably easier to remove the option altogether.

[Ralkage]

Thanks for the report! I saw your post on Discuss and was going to ask if you could create an issue for it and here we are :)

I just dug into it and this is caused by the "Always view user last seen time" permission which is set to Admin and Mods by default.

If it's set to members, this will interim fix this issue until we can fix this in a future release.

[clarkwinkelmann]

@Ralkage that's the wrong way around.

"Always view user last seen time" is a permission meant for mods to bypass the privacy setting "Hide when I'm online"

Previously anyone could sort users by last online time, which was essentially bypassing that permission, leaking who is online even if a user opted out.

The easiest solution to fix that issue was to just remove the ability to sort by last online for everyone. That's the solution that was agreed upon both here and in Flarum. Since it was a Flarum issue, the fix was pushed to Flarum beta 16.

The only remaining issue is that we still offer the sorting option in the UI despite it no longer existing.

IMO, the only "solution" is to remove the sorting option from the UI.

Workarounds to keep the ability to sort by last online are:

• Set "Always view user last seen time" to members/guests: this completely defeats the Flarum privacy settings, so if you do that you should also use CSS or extension API to hide the privacy settings from the Flarum user settings, otherwise people will be misguided.
• Implement the sorting to take into account the privacy setting. As discussed in the Flarum GitHub issue it's not easy because the privacy setting is inside the JSON preferences column so I don't think there's any way to use a MySQL index on it. Other implementation ideas were discussed in the GitHub issue.

[Ralkage]

@clarkwinkelmann I'm in favor of removing the sorting option from the UI especially since the fix is in Flarum beta 16 👍

[ctml91]

So from beta 16 onward, admins will no longer be able to see who's online or recently online. Is that correct?

[zerosonesfun]

So from beta 16 onward, admins will no longer be able to see who's online or recently online. Is that correct?

No. I’m pretty sure that’s not exactly the case. At the very least you can use one of the logging extensions out there which will show an admin who has been online.

I agree with removing that sorting option too. I chose it because I thought it was kind of neat. But, not necessary.

[ctml91]

I think there should be a way to see who's online in the forum. But perhaps that's through a who's online extension/page and permission controlled rather than the user directory

[clarkwinkelmann]

I feel like there's a lot of confusion here.

On the Flarum side:

In beta 15, there was a sorting option in the REST API that allowed anyone to "guess" the online time of users who chose to hide their online status. This was a serious privacy issue.

In beta 16, to fix that issue, the sorting option was removed. Nothing else changed, the online time is still visible in the profile in the same way and to the same people as before, and admins/mods can still see the online time of everyone (that's what the permission does). To prevent breaking custom integrations that used the REST API, we kept the sorting option but only for admins.

On the User Directory side:

We changed nothing. We are still showing an option that no longer exists in Flarum, which leads to an error.

User Directory does not implement any of the filters or sorting options. Everything is part of Flarum's REST API. This extension just provides a user interface for the GET /api/users endpoint of Flarum.

This change was documented in Flarum's release notes (and I knew about it, since I made the fix), and I knew we would have to remove the sort option if it was removed from Flarum. We just forgot to make the change and closed the older issue too quickly.