search

NewPath-Consulting / wap-addon-member-directory

Member Directory block add-on for Wild Apricot Press (WAP)
https://newpathconsulting.com/wap
GNU General Public License v3.0
2 stars 1 forks source link

Privacy for Saved Searches #7

Open kendrakleber opened 3 years ago

kendrakleber commented 3 years ago

Explicit privacy currently exists, if FirstName is selected for a contact, and a contact has it private, it will not be displayed.

However, more "implicit" privacy does not. For example, if contacts are being filtered on having more than 5 guns, but a contact has made number of guns private but they fit the criteria, the contact will still be displayed, and it shouldn't be.

This can't be fixed current API, as saved search only returns Ids of the contacts, and the contents of the filter would need to be exposed to ensure contact privacy

There are several responses to this:

  1. Wild Apricot changes their API to expose the filter in the /accounts/{accountId}/savedsearches/{savedSearchId} call. This is by far the best solution as it will allow for the proper functionality and then saved searches can still be used
  2. Tell the users of our plugin about this issue, and tell them to not create filters on private information. This would be hard to do, as each contact has control of their privacy for each data point unless the setting is locked. The odds that our plugin users mess this up and at some point private information is exposed is very high, and this would extremely limit what users can see
  3. Don't use saved searches. Hopefully have an interface to filter on wordpress instead, I know this is in the works.

For now, we'll probably end up going with 2, but when this project goes public, either 1 should exist or searching by saved searches should not be allowed (3)

kendrakleber commented 3 years ago

From looking at wild apricot, the solution they take is using a saved search as a "prefilter" for what contacts the public/members can then search from. Technically, as long as the admin doesn't share what the saved search filter is on, you can't infer anything, and thus no privacy is compromised. We can do the same thing/nothing as long as members/public can never select a saved search. In the future, if WA could change their API, saved searches could be exposed to members/public and that would be very powerful

Currently the only thing to do is to give some instructions/explanation "hey, don't say what the saved search is publicly" or something with reasoning, so that way it is 100% on our users not us if information is compromised