hatman: HatMan, my alter ego and face on the 'net (Default)
hatman ([personal profile] hatman) wrote in [site community profile] dw_suggestions2014-03-05 11:33 pm

Password protect posts so non-DW friends can be included

Password protect posts so non-DW friends can be included


Add an additional security option between "public" and "friends" where the post is viewable to anyone with the correct password. This would allow users to include friends without DW accounts in non-public posts.

It's been a few years since this was last suggested ( http://dw-suggestions.dreamwidth.org/147407.html ). Maybe opinions have changed.

WordPress has a password protected post option ( http://en.support.wordpress.com/posts/post-visibility/#password-protect-a-post ). A post with this security setting is viewable to anyone with the correct password. The public and RSS readers can see that a new post is there, but you must enter the password to read the actual content. This allows you to have non-public content available to friends who don't have an account on the site (or who use OpenID). I'd like to see something akin to that implemented here.

A modification suggested in the comments last time would also include the option to make the post (including password prompt) viewable only by direct link.

Having it not only gives you greater control over who outside the site can see your content, it might just pull in new users. They'd come to the site to read your posts, see how it works, and maybe just be tempted to try it themselves.

So it works like this:

Between "Public" and "Access List," there would be an additional security option labeled "Password Protected." When you select that, you enter a password. When the post goes up, you have what amounts to a cut tag hiding the post's contents (including comments) until the reader enters the correct password. An additional sub-option (available via checkbox, perhaps?) would allow you to make even the password prompt viewable via direct link only. Crossposts would link back to DW, where readers would be prompted for the password.

Poll #15787 Password protect posts so non-DW friends can be included
Open to: Registered Users, detailed results viewable to: All, participants: 49

This suggestion:

View Answers

Should be implemented as-is.
8 (16.3%)

Should be implemented with changes. (please comment)
7 (14.3%)

Shouldn't be implemented.
23 (46.9%)

(I have no opinion)
11 (22.4%)

(Other: please comment)
0 (0.0%)

andrewducker: (Default)

[personal profile] andrewducker 2014-08-09 04:27 pm (UTC)(link)
If your friends want to read it then they can log in with OpenID, and you can grant them access.

The method you're suggesting also means making it clear that there's a protected entry that people don't have access to - which I don't believe is how it works at the moment. There's no way, from looking at my journal, for you to tell I have _any_ protected entries.
matgb: Artwork of 19th century upper class anarchist, text: MatGB (Default)

[personal profile] matgb 2014-08-09 04:57 pm (UTC)(link)
True, but as it's proposed to be a new level that people can choose, or not, to use, then it doesn't affect anyone that don't want to use it in any way.

The problem with the current system is that you can't grant access to someone in advance. If there was some way I could denote "that Twitter user, that LJ account, etc have access" before they ever log in, then the existing system would be quite good, but as there basically isn't (there are some tricks for LJ accounts using the importer but they're not designed for this) it means I can't write something and tell a friend without an account to read it.

They have to first login here with OpenID, then I have to log in and tell DW to let that account read it, then they have to come back and read it, which isn't an ideal user experience for a non-DW user, and also not a good first impression for a potential future DW user.

I can see the point of the above proposal and can see it would benefit a subgroup of users that want to give non-OpenID using friends access to some content, other platforms (eg Wordpress) do allow this sort of thing.

(the big thing is that DW needs some volunteers with user interface design experience to revamp the login interface for OpenID/OAuth (when it's integrated) etc, but that's way outside the scope of this suggestion and not something I can help with)
andrewducker: (Default)

[personal profile] andrewducker 2014-08-09 06:23 pm (UTC)(link)
This method is functionally equivalent to creating a new user ID, granting it access, and then passing the password to all of your friends who you want to read it.

(In fact, that's how I'd implement this in the background, if I was implementing it).

This provides a plausible illusion of security, while ignoring the fact that if you give access to 10 people, chances are that six weeks later a fair few more are using the password as it's passed around.

I'd be in favour of improving the UI for this, but the current proposal feels altogether wrong, security-wise, with lots of potential for drama.
matgb: Artwork of 19th century upper class anarchist, text: MatGB (Default)

[personal profile] matgb 2014-08-09 08:27 pm (UTC)(link)
That's actually not a bad alternate suggestion, let people 'create' accounts that only actually activate if a unique email is clicked and then send them as part of the invite, or similar. If you can add people in advance of them actually confirming they want an account then it'd solve the problem.
ext_3679: (Default)

[identity profile] fiddlingfrog.livejournal.com 2014-08-09 11:40 pm (UTC)(link)
I think this is the most elegant way to solve the clunkiness of the current system and Andrew's security concerns. So I imagine it'd go something like this:
1. Write an entry, restrict it to all friends or some smaller group.
2. Click some kind of "Invite others to read this entry" link.
3. Add e-mail address, or tell DW the number of invites you need, and send it out. If you know your friends e-mail address DW sends out a message with a code link in it. If you only know them via Twitter or Tumblr or somehwere else, DW gives you a list of codes you can send manually.
4. When the other person clicks on the code link in their message they go through an abbreviated account creation process, are automatically added to your access list (and any applicable groups) and are redirected to that entry.
5. For security, let the inviter choose a time frame for the invitations to expire - maybe two months as default.
matgb: Artwork of 19th century upper class anarchist, text: MatGB (Default)

[personal profile] matgb 2014-08-09 11:45 pm (UTC)(link)
This is now my with changes ;-)

(I'd probably set the default to 28 days not two months if it were me but either is good)

[personal profile] alexbayleaf 2014-08-10 03:04 am (UTC)(link)
andrewducker: (Default)

[personal profile] andrewducker 2014-08-10 07:57 am (UTC)(link)
Yup, like it.

Automate the current process in a nice simple way.

Edit: I think it's now sufficiently different that it should be it's own suggestion.
Edited 2014-08-10 07:58 (UTC)
kaberett: Overlaid Mars & Venus symbols, with Swiss Army knife tools at other positions around the central circle. (Default)

[personal profile] kaberett 2014-08-10 03:01 pm (UTC)(link)
Agreed re sufficient difference; consequently not voting in poll.
phidari: (Default)

[personal profile] phidari 2014-08-10 09:16 pm (UTC)(link)
"With changes" = this.

[personal profile] swaldman 2014-08-10 11:25 am (UTC)(link)
I'm rather uneasy about this bit,

"The public and RSS readers can see that a new post is there"

simply because that is not the way that anything else works on DW. For consistency, I'd prefer that people without access to something aren't aware that it's there, and I'd be against making this an option, because More Options.

With that said, a drawback is that these posts would then effectively be invisible to RSS readers, because (perhaps depending upon implementation) there wouldn't be a consistent username/password to use digest auth with.
inthetatras: Nagato Yuki giving a considering look. (processing... processing...)

[personal profile] inthetatras 2014-08-11 03:15 am (UTC)(link)
I'd prefer that people without access to something aren't aware that it's there

This is also how I feel about that.

I like how one of the linkshare settings on Gdocs is "viewable only to those with a direct link." Of course, Gdocs is not a journaling site and therefore the average user won't be going browsing over the documents created by a certain given user, whereas on DW and other journaling sites it's easy for people to go browse someone's public journal entries. But the idea itself is a nice one.
inthetatras: (megane Atobe)

[personal profile] inthetatras 2014-08-11 03:18 am (UTC)(link)
My "with changes" is that only those with the link should be able to know it's there. The idea proposed by [livejournal.com profile] fiddlingfrog has potential.
montuos: cartoon portrait of myself (Default)

[personal profile] montuos 2014-08-11 04:33 pm (UTC)(link)