Tag cloud privacy issue

Oct. 7th, 2010 11:11 am
lederhosen: (Default)
[personal profile] lederhosen
Reported as bug on LJ - not sure whether DW has the same bug.

If I look at somebody's tag cloud on their journal, it only shows me tags that are found in the posts I have permission to view (e.g. if I'm not logged in, I can only see tags that appear in at least one public post).

However, as long as I have permission to view *at least* one post with that tag, the tag cloud gives me info about the *total* number of posts with that tag (not just the ones I'm allowed to access).

Example: Sue makes a public post about the great holiday she just had, and tags it 'holiday', then forgets about it.

A couple of years later, she decides to go on another holiday. She starts posting about it, but she's been having problems with a creepy ex so she makes these posts friends-locked.

However, because she's using the same tag - and because there's a long-forgotten public post with that tag - her ex can see that the 'holiday' tag is getting bigger, and by mousing over he can tell exactly how many 'holiday' posts she's made. He can check back in to figure out when she's updating and get an idea of when the house might be vacant.

IMHO, if a user decides to restrict access on a post, LJ should not be providing *any* info about that post to people who don't have the appropriate access permissions.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2010-10-07 07:50 am (UTC)
tyggerjai: (Default)
From: [personal profile] tyggerjai
See also reply in LJ, but now that I've thought about it, that is a nasty combination. See if the calendar thing is still an issue, and write up a bug report with the scenario you describe.

The issue is almost certainly one of resources - you can fairly quickly generate a list of all posts with a tag (in fact, you can do it statically and update when a post is made), but to check every tag for every user every time the cloud is built is scary CPU consumption.

But I'll look into it on DW.

Date: 2010-10-07 08:22 am (UTC)
tyggerjai: (Default)
From: [personal profile] tyggerjai
To which the obvious answer is "don't show post counts at all". It's something that bugs me too, though - private is private.

Date: 2010-10-07 08:25 am (UTC)
tyggerjai: (Default)
From: [personal profile] tyggerjai
Also, since I'm using this as a dumping ground for my random thoughts about it .... It's possible that the tag count is already style dependent - that there are styles that don't show the number. If the default style doesn't show the number, does that mean the system is already "opt in" ;P

Date: 2010-10-07 08:31 am (UTC)
lederhosen: (Default)
From: [personal profile] lederhosen
Any idea how the "don't display tags if they can't access any post with that tag" functionality works? Presumably that's creating some sort of tag-specific access list, either statically or dynamically; maybe it'd be possible to create counts at the same time.

Date: 2010-10-07 08:34 am (UTC)
tyggerjai: (Default)
From: [personal profile] tyggerjai
No idea, but I can check, and it may indeed be possible.

Date: 2010-10-07 01:35 pm (UTC)
tyggerjai: (Default)
From: [personal profile] tyggerjai
Yeah, it's still a much bigger resource impact, because you have to test each entry with each tag, rather than just a "select *", if you like :)

Still, it should be possible to opt out of the tag count.

Date: 2010-10-07 09:30 am (UTC)
trixtah: (Default)
From: [personal profile] trixtah
Yep, I noticed that one a few years ago, but didn't think of reporting it as a bug!
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

lederhosen: (Default)
lederhosen

July 2017

S M T W T F S
      1
2345678
9101112131415
16171819202122
2324252627 2829
3031     

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 8th, 2025 02:18 pm
Powered by Dreamwidth Studios