Date   

moderated Re: Report File -- "Content flagged as objectionable" #suggestion

 

On Thu, Jan 21, 2021 at 5:11 PM Andy <AI.egrps+io@...> wrote:
There is a feature to Report File by clicking the flag icon next to the filename.  It sends a message ("Content flagged as objectionable") from Groups.io to each owner/moderator.

We recently saw a file reported this way, because someone had a question about the file.  The right thing for him to have done, was to send a new Message.  But he saw the flag icon and used it.

Suggestions:

1. When someone reports a file, Groups.io sends messages addressed to each Owner/Moderator.  I think it should be addressed to the "+owner" address.  By addressing it to Owner/Moderator addresses, it looks like Spam.  (Indeed, my co-moderator interpreted it that way, especially because the sender's status was NMM.)

2. It leaves nothing behind in the group's "Activity" log.  Nor in the sender's "Activity History".  Nor in the sender's "+owner Messages".  It should.  All three.

3. When reporting a file, the description in the pop-up window is: "I think this file isn't appropriate for our Group."  Hmm.  I was thinking that is much too open-ended.  It's not the same thing as "objectionable".  But maybe that was your idea, to allow it to be used for any reason, leaving discretion to Moderators.  Yes?  Still, I wonder if it should be for things actually bad and objectionable.  I'm also wondering, because we have many group members not in the USA for whom English is not their native language.


There are now activity log entries for when someone reports a message, file or photo. These show up in the group activity log as well as when viewing a member's activity log. 

I didn't change how the messages are sent, as I'm not sure changing it to +owner is the best solution. For one thing, that would generate a new, now duplicate, activity log entry (such and such sent a message to owners). And also, these emails at some point will be changed to support app/push notifications as well (that setting is currently ignored for them).

Thanks,
Mark


moderated Re: Changing email address security issue #misc

 

Imagine some unsuspecting new member. They join groups.io and they (akin to the scenario in Mark’s original post here) run into some bad-actor group owner, having no idea that ANY group owner, of ANY group theg join, csn actually change their email address, which comprises the basis of their entire groups.io account and is the one piece of data that uniquely identifies them to the system. Of course that means, in the bad actor scenario, that group owner also has their login password.

No, Andy. I am entirely comfortable and confident in using grouos.io. But no, I’m not comfortable or confident with that scenario. 


On Feb 3, 2021, at 3:32 PM, J_Catlady via groups.io <j.olivia.catlady@...> wrote:

Andy,

I never said I’m not “comfortable or confident” using the feature. I don’t know where you get that. I think the feature gives groups inappropriate power over members’ groups.io accounts. 

As Bruce put it: we can’t change members’ profiles, but we can change their login info? 


On Feb 3, 2021, at 2:56 PM, Andy Wedge <andy_wedge@...> wrote:

On Wed, Feb 3, 2021 at 06:35 PM, J_Catlady wrote:
Exactly, what Peter says. it’s risk vs benefit. Huge risk, negligible benefit.
If you're not comfortable or confident in using this function then just stay clear. Nobody is forcing you to use it. Some of us find it useful and use it carefully in support of members. If the account address being changed is subscribed to other groups then a warning message or prompt might be nice but I'd still want the function.

Andy

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 

Andy,

I never said I’m not “comfortable or confident” using the feature. I don’t know where you get that. I think the feature gives groups inappropriate power over members’ groups.io accounts. 

As Bruce put it: we can’t change members’ profiles, but we can change their login info? 


On Feb 3, 2021, at 2:56 PM, Andy Wedge <andy_wedge@...> wrote:

On Wed, Feb 3, 2021 at 06:35 PM, J_Catlady wrote:
Exactly, what Peter says. it’s risk vs benefit. Huge risk, negligible benefit.
If you're not comfortable or confident in using this function then just stay clear. Nobody is forcing you to use it. Some of us find it useful and use it carefully in support of members. If the account address being changed is subscribed to other groups then a warning message or prompt might be nice but I'd still want the function.

Andy

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 

> Moderators already cannot change the Role of owners.

Thanks Mark. I was made aware of that after I posted. As I commented to Bruce, keeping up with beta and GMF is much more difficult since the final exodus from Y!.
 
But I stand by the rest of my thought. Please continue to provide us the tools to help regular members. That was the primary reason I took several of my groups Premium in the first place.
 
I do think Andy Wedge's idea in the previous post, to send a warning message or prompt to the owners of other groups that the member is subscribed to, is worthy of consideration.
 
Dano
 

Virus-free. www.avg.com


moderated Re: Clarify Photo Album Owner Name #suggestion

 

Hi All,

I've removed the album owner from the /photos page and instead it's now displayed when you view a specific album, on top of the cover graphic.

Cheers,
Mark


moderated Re: Add DisplayName in the "joined" notification #suggestion

 

On Wed, Feb 3, 2021 at 9:57 AM Christos G. Psarras <christos@...> wrote:

Hi Mark,

It can be useful in certain situations if DisplayName is added in the mod joined notification text, i.e.


I've changed it so that for all mod notifications, we will display "DisplayName <email>" if we have it, instead of just DisplayName or email.

Thanks,
Mark 


moderated Re: Changing email address security issue #misc

 

On Wed, Feb 3, 2021 at 12:50 PM D R Stinson <dano@...> wrote:
 
From my viewpoint the problem is the user of the authority, not the ability. As noted above, taking away the ability to change an owner's or moderator's would avoid most on these risks. Added to this, I suggest that a moderator should not be able to change the role of owner. I see hijacking the ownership of a group to be a greater problem.
 
Moderators already cannot change the Role of owners.

Thanks,
Mark


moderated Re: Changing email address security issue #misc

Andy Wedge
 

On Wed, Feb 3, 2021 at 06:35 PM, J_Catlady wrote:
Exactly, what Peter says. it’s risk vs benefit. Huge risk, negligible benefit.
If you're not comfortable or confident in using this function then just stay clear. Nobody is forcing you to use it. Some of us find it useful and use it carefully in support of members. If the account address being changed is subscribed to other groups then a warning message or prompt might be nice but I'd still want the function.

Andy


moderated Re: Changing email address security issue #misc

 

I ran into the need for this just yesterday and have yet to actually use it. I have a member in one of my premium groups who applied for a new membership. Because I knew who the person was, I suggested he just change his email address so he stays connected with his content. I explained how he can change his email address, but it didn't work for him. We have been unable to ascertain why. I should add that he wants to change his email for all his groups.io memberships, as his old email is going away. 
 
At this point I don't know what the problem is. The group activity doesn't show me anything. And because his old account is going away, there is a certain desire on his part to do this right away. The obvious solution to me is to change his email address for him. And yet I am hesitant for all the reason to just jump to this for all the reasons we've talked about in the past.
 
If this ability goes away, it's going to add a burden to support's load. I see an obvious need for the authority. But it tends to be those operating in the right hand lane who need that assistance. I would suggest disallowing the ability to change owners' or moderators' addresses, who are more likely to be able to do that on their own anyway. But for the sake of avoiding more work for Support, leave the ability for owners to help regular members who tend to be less technology savvy.
 
I can also see a need for the ability to merge membership accounts. I have had a number of members who rejoined as a new address, leaving their old accounts orphaned. I would welcome the ability to merge their old email account into their new one to maintain content control.
 
From my viewpoint the problem is the user of the authority, not the ability. As noted above, taking away the ability to change an owner's or moderator's would avoid most on these risks. Added to this, I suggest that a moderator should not be able to change the role of owner. I see hijacking the ownership of a group to be a greater problem.
 
Dano 
 
 
J_Catlady  wrote:
> I would ask those members to reapply with the new email address. Or you csn simply add the new email address. If necessary, you can merge their old topics once they start posting.
>
 

Virus-free. www.avg.com


moderated Re: Disallow concurrent "special notices" and "following only" #suggestion #bug

 

BTW, we forgot the member list page, another spot which may or may not (for now) need tweaking.

If left the the way it is it still works fine, and since it has also been suggested to enhance that screen with more sorts/filters, we could just leave it alone for now.  The absence of FO badges indicates/implies All Messages, with the exception of Special Notice only and NoMail.

But one easy way to make it consistent with the "new" methodology, is to add something to explicitly and visually indicate All_Messages.  Creating a badge for it (even if toned-down/light greys for less visibility) wouldn't work as the list would still get too badge-busy & dilute the big picture and other badges.  But we could just add some text to the delivery method text and call it done, maybe " - ALL", " - All", " (ALL)", or something similar; it's still there but not "in your face":

NewUserSettings_memberlist.jpg

Either way would work really.

Cheers,
Christos


moderated Re: Disallow concurrent "special notices" and "following only" #suggestion #bug

 

>>> Where’s the “hit self over the head” option?
 

I didn't include it 'cause wasn't sure if it was for all groups or paid groups-only; but in the spirit of bigroupship, why not?  Here, Power to Everyone!

 
NewSP.jpg





moderated Re: Add DisplayName in the "joined" notification #suggestion

 

This is a feature that I would wholly support. During the initiation of a new group of now over 100 members, about 75% did not add a ‘Display Name.’ I had to send out an addendum notice to tell them they should do that, and guide them on how to do that. This was even with a caution/note added to the Invitation that it was the group insistence that everyone be readily recognizable and no one be ‘Oldhoseroller’ et.al.

 

‘Forcing’ a Display Name’ to be entered during the sign-on would be helpful.

 

Thanks,

 

Dan Tucker, Groups.io  AFDRetiree’s Group Founder/Owner/Moderator

 

From: "main@beta.groups.io" <main@beta.groups.io> on behalf of "Christos G. Psarras" <christos@...>
Reply-To: "main@beta.groups.io" <main@beta.groups.io>
Date: Wednesday, February 3, 2021 at 8:57 AM
To: "main@beta.groups.io" <main@beta.groups.io>
Subject: [beta] Add DisplayName in the "joined" notification #suggestion

 

Hi Mark,

It can be useful in certain situations if DisplayName is added in the mod joined notification text, i.e.

This is to notify you that DisplayName ...@... has joined your group...

or alternatively,

This is to notify you that ...@... (DisplayName) or [DisplayName] has joined your group...

Even without the bracketing it would help catch if someone (user or mod) forgot to add a DisplayName on the profile (when this is a group policy), and especially when working with a multi-mod group in such group.

Thanks and Cheers,
Christos


moderated Re: Changing email address security issue #misc

 

I would ask those members to reapply with the new email address. Or you csn simply add the new email address. If necessary, you can merge their old topics once they start posting.

There is no limit to the number of things that technically challenged members/account holders might want or ask for help with. Some things they are best learning to go on their own. You csn walk them through it. You can create your own group’s personal help wiki pages or sticky posts.

I remember being shocked when the “change member email” feature was implemented, at how much power it gave me as an owner, and at the realization that I had to treat it respectfully, and the subtle simultaneous realization that other group owners might not.

It just feels wrong.


On Feb 3, 2021, at 10:57 AM, Robert Oshel <robert.oshel@...> wrote:


How about allowing a moderator to change someone's email address only for that group, and the change does not go into effect until after the person is notified by email to the old address that the moderator is attempting to change his or her email address for the group and the person clicks an "I approve" option in the mail?  I have some technologically challenged members who have asked me to change their address.

  Bob

On Wed, Feb 3, 2021 at 11:55 AM Mark Fletcher <markf@corp.groups.io> wrote:

Hi All,

Premium group owners have the ability to change the email addresses of their members. The email address is changed on the member's Groups.io account, so affects all their subscriptions. As was pointed out to me privately, this presents a security issue. If a member is an owner of another group, this feature provides the ability for a nefarious group owner to take over that other group, by changing the email address of the member to a new email address controlled by the baddie.

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Thanks,
Mark


--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

Robert Oshel
 

How about allowing a moderator to change someone's email address only for that group, and the change does not go into effect until after the person is notified by email to the old address that the moderator is attempting to change his or her email address for the group and the person clicks an "I approve" option in the mail?  I have some technologically challenged members who have asked me to change their address.

  Bob

On Wed, Feb 3, 2021 at 11:55 AM Mark Fletcher <markf@corp.groups.io> wrote:

Hi All,

Premium group owners have the ability to change the email addresses of their members. The email address is changed on the member's Groups.io account, so affects all their subscriptions. As was pointed out to me privately, this presents a security issue. If a member is an owner of another group, this feature provides the ability for a nefarious group owner to take over that other group, by changing the email address of the member to a new email address controlled by the baddie.

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Thanks,
Mark


moderated Re: Disallow concurrent "special notices" and "following only" #suggestion #bug

 

Where’s the “hit self over the head” option? 


On Feb 3, 2021, at 10:46 AM, Christos G. Psarras <christos@...> wrote:

 >>> I forgot to send it as a Special Notice.
 

Ohh, I have a graphic for that too:


<NewSP.jpg>



(jk, sorry, I guess I'll just walk myself back to the [on-topic] crate)  ;-)

Cheers,
Christos


--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Disallow concurrent "special notices" and "following only" #suggestion #bug

 

>>> I forgot to send it as a Special Notice.
 

Ohh, I have a graphic for that too:


NewSP.jpg


(jk, sorry, I guess I'll just walk myself back to the [on-topic] crate)  ;-)

Cheers,
Christos


moderated Re: Changing email address security issue #misc

Dave Sergeant
 

On 3 Feb 2021 at 10:35, J_Catlady wrote:

Exactly, what Peter says. it's risk vs benefit. Huge risk, negligible
benefit. Not to mention: the opportunity cost of implementing more
worthwhile things.
Having just had my personal information publicly revealed on a hacked
forum I would agree. Nobody but the member himself should be able to
change email addresses.

Dave

http://davesergeant.com


moderated Re: Changing email address security issue #misc

 

Exactly, what Peter says. it’s risk vs benefit. Huge risk, negligible benefit. Not to mention: the opportunity cost of implementing more worthwhile things.


On Feb 3, 2021, at 10:32 AM, Peter Cook <peterscottcook@...> wrote:

On Wed, Feb 3, 2021 at 01:22 PM, J_Catlady wrote:
Suppose I don’t like somebody in my group and I want access to all their subscriptions to do bad things. All I’d have to go is change the email address of their whole account.
I agree with J - I just don't think the risk outweighs the benefit to the users. Maybe I'm missing some key point about the value of this capability?

Pete

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 

I agree that Shal’s idea takes us in the right direction. But still not far enough. I’d get rid of it entirely.


On Feb 3, 2021, at 10:29 AM, Shal Farley <shals2nd@...> wrote:


Mark,


Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

I would disable the ability to change the address if the member is even a member of any other groups. That's because the other groups may have sensitive information in their content to which the baddie should not gain access.

Or, make it apply to this group only. But that will be fraught with details when the new address is already an account or an alias of an account. It may be worth delving into those details if it heads us in the direction of making it possible for the member to split their account, and/or move subscriptions between accounts (having somehow authenticated ownership of both).

Shal

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

Peter Cook
 

On Wed, Feb 3, 2021 at 01:22 PM, J_Catlady wrote:
Suppose I don’t like somebody in my group and I want access to all their subscriptions to do bad things. All I’d have to go is change the email address of their whole account.
I agree with J - I just don't think the risk outweighs the benefit to the users. Maybe I'm missing some key point about the value of this capability?

Pete

2621 - 2640 of 30686