Jump to content



  • Content Count

  • Joined

  • Last visited

  • Days Won


Colonel_mortis last won the day on September 27 2016

Colonel_mortis had the most liked content!

About Colonel_mortis

  • Rank
    Community Regular

IPS Marketplace

  • Resources Contributor
    Total file submissions: 2

Profile Information

  • Gender
  • Location
  • Interests
    Breaking things
    Making the devs pull their hair out

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. If a user posts a poll and sets it not to display the names of the people who voted for each option, members don't get warned that their vote will be public and they may wish to share their opinion anonymously. However, the author of the poll can just edit the poll to set it to public, and see the names and choices of everyone who has already voted. This defeats the point of having private polls. Either it shouldn't be possible to change a poll from private to public, or votes from when it was private should be anonymised.
  2. It would actually be super easy to implement - they just need to remove the check for author != loggedIn()->member_id in checkForNewReplies (just removing part of a single line). The only other consequence of doing this is that you'll get "1 new reply" toasts for your own replies if you have it open in multiple tabs/browsers, but I think that isn't a bad thing.
  3. It would be great if there was a user option to only receive email notifications when they're offline, or to get a summary email of the notifications that they've missed if they don't visit the site for some period of time (as Stack Overflow does). There's no point getting email notifications when you're actively browsing the site, but equally if you're only an infrequent visitor you don't want to miss any replies to things that you're interested in or that you posted, and something like this would strike that balance (while also helping to boost retention in a user-friendly way).
  4. At the moment if there is a video embedded in the editor, it can be difficult to remove because clicking it just controls the video. If it was a widget and had a grab handle, it would be a bit easier to control.
  5. I usually complain that most of your new features have great concepts, but just don't get delivered properly and end up not being useful. There is of course still plenty of time, but I have been very pleasantly surprised by how well implemented this looks, and I'm actually looking forward to rolling this out on my site! Thank you, and please keep it up!
  6. I don't know what you've come up with, so maybe it is legitimately irreversible (a random value stored in a cookie would probably be good). But in the world of GDPR, md5(member_id) (or anything else that I could easily reverse with an SQL query) doesn't go far enough to be described as anonymised, and I would be very cautious of advertising it as such.
  7. I don't disagree, and I think it makes sense. However, I would dispute your claim that it requires a new dns lookup, tcp connection and tls setup - it is fetching from the same server as the main content so if your server is correctly configured with keep-alive it will reuse the existing connection, resulting in 0ms overhead. Even if you have keep-alive disabled (as ips did for a while, although they may have changed that now), the dns lookup will always have been cached and if you are running an up to date version of openssl and nginx/apache you can get 0- or 1-rtt tls session resumption, so there should only be 1-2 round trips of overhead. Resending the cookies is still a reasonable concern, but the others are not.
  8. Not all of my members want to receive new device emails - some people regularly log into different devices or are browsing at work and don't want to leave cookies behind. I do want staff members to receive new device emails, and currently there is no way to have it both ways. I propose that the new device email setting should be 3- or 4-way configurable – on for everyone, default on but customisable, default off but customisable, and off for everyone. The setting would fit nicely on the "Account Security" page (2FA) of account settings. Alternatively, at least make it a per-group setting. It would also be nice to get a similar email for ACP logins, perhaps using the same device tracking as the front end to avoid sending too many emails.
  9. I've not read through the whole topic in detail. However, for what it's worth, enabling X-XSS-Protection (XXP) breaks embeds in Safari under certain circumstances. Also, XXP has absolutely nothing to do with ddos attacks, it is just a rudimentary safeguard against reflected XSS attacks. Of the handful of XSS attacks that I can recall finding in IPS, only one could be blocked by XXP (and as it happens, it was on a page where XXP was enabled and the attack was blocked in the browser which support it).
  10. All activity currently checks for updates automatically, but only inserts them when you click the button. It would be nice, as suggested by one of my members, to add the option of automatically showing the new posts too. It adds no extra server load, because the posts are already loaded into the browser during the background poll, not when then click show. This could get annoying if the user is scrolled below the top and there is no handling of scrolling the viewport to match where they were looking, but this can be solved by making it an option, or by implementing viewport scrolling so the posts are inserted above but the browser is scrolled accordingly so they don't notice.
  11. Downloading the image was the thing I originally posted in the OP... But glad to hear that you're working on it.
  12. If the user disables the map, the EXIF data is still retained on the image (when using Imagemagick), so this gives the user a dangerous false sense of security that their location is private. All I need to do is download the image and I can extract the location.
  13. Ah, you seem to be right. I guess I must have been thrown off by the method name, because I did think I had checked how it worked. Nothing to see here. However, I would still like to see the user being given the option to use the name or choose another, rather than it being an admin decision, or at the very least it shouldn't count towards their username changes.
  14. The following is from the Facebook login handler; other default login handlers are largely the same /** * Get authenticated user's username * May return NULL if server doesn't support this * * @param string $accessToken Access Token * @return string|NULL */ protected function authenticatedUserName( $accessToken ) { if ( isset( $this->settings['real_name'] ) and $this->settings['real_name'] ) { return $this->_userData( $accessToken )['name']; } return NULL; } This function does not fulfil the contract specified in the documentation - the server does support getting the name, regardless of the real name configuration. By returning NULL when real name import is disabled, my name won't be shown when in my account settings, or in ACP. This is not good, and defeats most of the point of displaying the name in UCP/ACP in the first place. Moreover, the whole username import process is not fit for purpose in my view. If I create an account, I don't want to be forced to use the name from my social service, especially as when that feature is enabled it counts as a username change, so I can't actually change it for some time (as specified by the admin, 180 days on my site). I would, however, like my name to be prefilled in the username box, at least when connecting to a site that doesn't use my real name. Also, on some third party sites, my display name and my username might be different, and I would like my display name to be prefilled when creating my username here, but I would like my username to be displayed when viewing my account link in my settings (and ACP). A concrete example: I want to let people use their steam name, but lots of people on Steam have clan tags in their usernames, which would not make sense on my site. They should get the option to edit their name to remove these clan tags before creating the account. Another concrete example: On discord, my display name is, say, "coolName". There can be multiple people called "coolName", so internally I am actually "coolName#1234", and this is displayed in some places. When I create an account, I want "coolName" to be prefilled in the box, but when I view it in my account settings (or, more importantly, in ACP), I want to see that it's actually coolName#1234. You can fix this by removing all the useless stuff from authenticatedUserName, and just prefilling the username box with the value from it if available. If no name is available, it will behave as it does now, but if the service provides a name it can be prefilled magically (or, if you really thing users appreciate less friction over having their real name displayed next to their posts without getting a choice about it, you could give admins the option of automatically creating the account with that name, but it should be an OPTION). Ideally, also add another method for getting the name to display in account settings and/or ACP (separate methods would be nice, but the same is fine), which defaults to the name returned above, but lets me return a different value if I so desire.
  15. And yet I still see people asking how they can add a local password. Using "forgot your password" when you never had a password is not intuitive enough for all of my relatively technical users (I of course don't have figures for how many people figured it out on their own, and how many people looked at their account settings, couldn't see a way to add a local password, and gave up).
  • Create New...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy