Share widget should make it clear that I'm sharing full access to the grain

[geofft]

If an app doesn't explicitly support multiple levels of sharing (as e.g. Etherpad does), there's no dropdown asking what you want to share, and there's no text at all on the "Send an invite" tab explaining what you're sharing. The "Get sharable link" page says "Anyone with this link can access the grain," but it's not totally clear what "access the grain" means.

Given that you're sharing complete, read-write access with all your privileges to that grain, there should be clear and potentially somewhat-scary wording. If I'm in Ghost I might click that button intending to share a public link to my blog or at least just the current blog entry draft, etc.

[kentonv]

Actually, in some apps, you aren't sharing complete access. Even before permissions were implemented, it was possible for an app to differentiate between owner vs. others, and some apps did so. So it's a bit unclear what to do here...

Meanwhile Ghost is a somewhat special case in that it has a form of sharing not represented by the share dialog in the form of sharing the site's public URL. So perhaps the right answer is to fix Ghost specifically?

[geofft]

Does the Sandstorm UI have a way to tell if the app is differentiating between owner and others? Or can those apps be ported to permissions, while the platform is still relatively small?

Security conservatism would say it's better (at least in the short term) to err on the side of warning about too much instead of too little. But up to you. UX might say otherwise, or that in practice people understand what "Share" means just fine.

I think even for the non-Ghost case, the standard pattern of "share" on the web doesn't necessarily mean "delegate access". If I click "Share" on Twitter or Reddit, I don't expect my logged-in state to travel along with that. But this is an imperfect analogy, and again, maybe in practice nobody is confused.

I wonder if renaming "Share" to "Authorize" (and "Share with others" to "Authorize others") would be helpful, and also free up the term "Share" to be used by the app itself. (I still think a short sentence along the lines of the "Get shareable link" tab should be in the "Send an invite" tab, and it should probably say "Anyone with this link can fully access this grain just like you can," or something.)

[kpreid]

I think that it is best to think not about warning, but rather describing or perhaps even _previewing_ the authority granted by sharing.

By previewing (a UI idea I've thought of in other contexts but haven't prototyped) I mean displaying the data that will be readable and an indication of whether it will also be writable. (For sorts of permissions that are more like actions (e.g. "send mail as you") the preview would have to be more abstract.)

Of course, this requires the app to cooperate (but so does describing the permissions) and involves mixing of shell and grain UI (at least to the extent of secondary viewports).

[paulproteus]

@neynah: I'm tagging you because you might appreciate @geofft 's description above of possible misunderstandings of the "Share" button.

[kentonv]

@kpreid A "preview" would be really cool, and entirely feasible for us to implement without explicit app support (though perhaps it could be better with app support). Still a bunch of work so I'm not sure when we might be able to do it, but I like the idea.

As for the problem at hand, I think the answer is "the app needs to declare roles; let's update all the old apps to do so, even if they declare only one role".