Date   

moderated Re: Changing email address security issue #misc

John Pearce <jponsalt@...>
 

To add to the opinions here, I would point out that in our group people don't even ask 99% of the time to have one of us change their email address.  They just open a new groups.io account, and go through the routine to subscribe.  We are a restricted group.  They always seem to leave the old subscription in place, often because they somehow forgot their passwords or otherwise lost control of their account.  This doesn't bother us too much because we don't pay by member but I do ask about a possible old address if they tell us in the subscription response they were members before then I delete the old subscription.  We have over 1400 members.  About half are special only, we don't allow no mail so that we get bounces when yahoo disables accounts.  Our group has been in existence for over 20 years and most had been on nomail on Yahoo before we moved here.  I suspect many have died as many of our members are seniors.  I see the horrible risks involved with being able to have moderators/owners be able to change someones email address, no matter how remote.  I vote to to remove that ability all together as our group would almost never benefit from it's existence and is unnecessary when it might.

John


moderated Re: "Missing data" for Activity Log filter and/or filter duplication #bug

 

On Thu, Feb 4, 2021 at 10:48 AM, Christos G. Psarras wrote:
"Added email alias"
Oh I get it now, "Added email alias" should return any members who themselves have added aliases through the main account settings, and "Added group alias" should return what "Added email alias" returns now, provided it's supposed to work with the same relationship as "changed email" and "mod changed email" returns data now.

Cheers,
Christos


moderated Activity Log event-filter incomplete display #bug

 

Hi Mark,

The log "Moderator changed moderator permissions" filter is missing the full description on the dropdown, it shows "Moderator changed" only.

Cheers,
Christos


moderated "Missing data" for Activity Log filter and/or filter duplication #bug

 

Hi Mark,

I was doing log research and noticed that when I filter by "Added email alias" I get the entries for the group aliases I have added, but when I filter for "Added group alias" I get nothing, should be the same from a technical POV, since they are really the same from a group perspective, one is the action, the other the end result of that action, which begs the question then, are they both needed? 

Looks like this is a simple case of assigning to the incorrect log event and also not hiding it from the group filters, if you are using the same table/structure for logging both group and user events, as "Added email alias" is more of a user-level event, from the UI POV anyway.  Or something else is the problem, maybe "Added email alias", in the group filters context, was meant to read "Added group email alias"?  I don't know but something's not quite right.

Cheers,
Christos


moderated Proposing a change to Hashtag page display on mobile devices #suggestion

Sandi D <sandi.asgtechie@...>
 

I use an iPad Pro iOS version 14.3. The new display interface the Hastag page on mobile devices is cumbersome. When we had only a few hashtags it wasn't a problem but now we have them spread over 2 pages and heading to a third.

Mobile devices can easily scroll through a page of entries so I am not sure why a listing of #s need to be broken into different pages. That said, if there is reason for having more than one page, could you please consider putting a "next page advancement" button at the top of the screen? It's fine to leave the existing button at the bottom, but adding it to the top as well would be quite helpful. 

When I tap on the link to the Hashtag page and I am looking to #VO, for example, right now I have to scroll down through all the entries before I can get to the "next page" button. Having the advance button at the top, or allowing me a continuous scroll would be nice options. 

--
Sandi Dickenson


moderated Number dropped from subject line with hashtags #bug

Samuel Murrayy
 

Hello Mark

In this message:
https://wordfast.groups.io/g/users/topic/dragon_suddenly_stopped/80312628
... the original e-mail ended on "and 6", but in web view, it ends only on "and".  The 6 got dropped.  I tried various tests sent to my test group but was not able to duplicate the issue with other wordings.

Samuel


moderated Some poll suggestions #suggestion

Samuel Murrayy
 

Hello

I recently used the polling feature for the first time.  I wanted to gauge how many people (and which people) are interested in a certain feature.  Now that I've used the polling feature once, I have some suggestions:

1. Make it possible to sort the rows by each of the columns.  Right now, rows are sorted only by date of voting.

2. For moderators, have an option to export the poll results as a CSV or Excel file.  Yes, I know one can select & copy/paste, but the result isn't tidy.

3. For moderators, have an extra column next to the names column that shows the voters's e-mail addresses.  In my case, I wanted to compare the voters to a list of e-mail addresses that I had separately, and I wanted to send e-mails to these people, but since for most of voters only their display name was displayed, I had to convert the display names to e-mail addresses by manually looking them up in the group's members.

4. For moderators, hyperlink the voters's names to their profiles.

Samuel


moderated Re: Changing email address security issue #misc

Mark Murphy
 

On Thu, Feb 4, 2021 at 09:57 AM, Peter Cook wrote:
I discourage members from doing that, and my suggestion to them is easier: Just go to their account page and change it there. 
Yes, I should have said that also. Re-subscribing might be the only way for members who are unable to log in to GIO (never logged in, can't remember password, etc.) and have lost access to their original email account.


moderated Re: Changing email address security issue #misc

Peter Cook
 

On Thu, Feb 4, 2021 at 09:54 AM, Mark Murphy wrote:
re-subscribe to their groups with the new email address
I discourage members from doing that, and my suggestion to them is easier: Just go to their account page and change it there. 

Pete


moderated Re: Changing email address security issue #misc

Mark Murphy
 

I reported this issue to Mark privately because I consider it a serious security issue. I believe the potential security implications far outweigh any convenience this feature may provide even to a well-intentioned owner or moderator who wishes to help a member who no longer has access to an email address or who wishes to change their email address.

Maybe I'm missing something about the "need" for this feature. If a member wants/needs to change their email address, why can't the member just re-subscribe to their groups with the new email address? Are there common and valid use cases for owners or mod needing to change the email on behalf of the member, other than "convenience" for the member?

The problem here is that the ability for a user to change their email address is often implemented through an authentication mechanism other than email, such as providing a username and password. Since these are not required in GIO for email only members, there is no alternative authentication mechanism available.

Thank you,

Mark


moderated Re: Changing email address security issue #misc

 

On Thu, Feb 4, 2021 at 06:42 AM, Peter Cook wrote:
I think it's VERY easy. When someone has an issue and needs to change their address, I just tell them to go to https://groups.io/account and change it. It's never been a problem.
Well, for some reason, some people here are complaining that it's been too hard for their members to do, or that it hasn't worked, etc. It looks easy for sure. And it really is not rocket science. So my guess was that something has been going wrong with the "reconfirmation" part of the change, such as perhaps the confirmation email going into the stratosphere. Who knows. i don't believe anyone is making this up. People have been having problems, for some as-yet unknown reason. I also have never had a member who's had a problem with it. I think it just needs to be explained to them clearly, if not by the system itself on the page (which I think could use some clarification), then by the group owner.

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

Peter Cook
 

On Thu, Feb 4, 2021 at 09:32 AM, J_Catlady wrote:
system has not made it easy enough for them to do
I think it's VERY easy. When someone has an issue and needs to change their address, I just tell them to go to https://groups.io/account and change it. It's never been a problem.

Pete


moderated Re: Changing email address security issue #misc

 

On Thu, Feb 4, 2021 at 03:50 AM, Robert Oshel wrote:
Wouldn't having the system send an email sent to the original address (the one being changed) requiring a confirmation that the change to the new address is legitimate before the change goes into effect solve the problem?
I think it may (although my gut tells me that unforeseen problems could still ensue). As others in this thread have pointed out, and with which I strongly agree, requests by members for help making groups.io-wide changes to their accounts, such as their very identity (email address) in the system, should go to groups.io if the member themselves can't navigate the change, and not to an individual group owner. Just as today Mark posts about an unforeseen problem, I would bet there will be others, even with this suggested confirmation/notification, due to the entity making the change (group owner) being at the wrong level.

I think the problem is not that these users having trouble changing their email addresses are technically challenged, or too old, or however others here have described them. The problem is that the system has not made it easy enough for them to do. Why not fix that real problem instead of going through contortions to put bandaids on it?
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 

On Thu, Feb 4, 2021 at 02:04 AM, Andy Wedge wrote:
There is one member that I know of who has membership to another group but that's it.
In my group, and in many or most of the cats groups, probably between 50% and 90% of the members are in other groups.
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Clarify Photo Album Owner Name #suggestion

Duane
 

On Thu, Feb 4, 2021 at 07:22 AM, Chris Jones wrote:
But is this actually a problem?
It really depends on the wishes of the group owner for organization.  If all photos of lamps are to be in the album "lamps", then each may be owned by a different person though the album is (probably) owned by the group owner/mod.  I have just such a situation on one of my groups and none of the photos are mine, but I'm still shown as owner of the album.  In this case, having the photo owner name on the right side, across from the photo name, in the album view would resolve it, but that could be a problem with long photo names.  Maybe under the photo name would be better.

Duane


moderated Re: Clarify Photo Album Owner Name #suggestion

Chris Jones
 

On Thu, Feb 4, 2021 at 12:21 PM, Duane wrote:
But this doesn't resolve the situation where more than one person has added photos to an album.  The album creator is shown as owner until you open a photo.
But is this actually a problem? Accepting that the owner of an album may not be the owner of any or all of the photos within it doesn't look to be a major complication. To widen the discussion slightly... do members get confused when the find that they can upload a photo into album A but not into album B, simply because that is the way the album owners have set them up? Do members get hot under the collar if they find that a Group Owner or Moderator has come along and deleted some material (including complete albums) or moved photos between albums in a rationalisation exercise?

To me there is a risk of going round looking for problems that don't really exist.

Chris


moderated Re: Changing email address security issue #misc

Jeremy H
 

As I mentioned in another thread, the Groups.io ecosystem is formed of three groups of stakeholders: "Service provider (Groups.io, Inc, i.e. Mark)", "Group Owners" and "Group Members" - each of whom has a relationship with both of the others. In particular, Group Members do have a direct relationship with Groups.io. Inc, separate from whatever relationship they have with Group Owners. And it is because of their realationship with Group.io Inc, that they can be members of groups.

From this it follows, that Group Owners should only be able a Member's settings that are, specifically, part of their membership of that owner's group.

And that any Member Settings that apply to no specific group, or multiple groups, should only be able to be changed by the member, or (if really necessary) by Groups.io support.

As a user's (Group Member's) e-mail address is used to logon to Groups.io, and for all messages from all their groups, it follows that only they, or Groups.io support, should be able to change it. (If they had a separate e-mail-address-for-posts-from-this-group, than that group's owner should be able to change that - but (AIUI) that's not how Group.io works)

The one area where this might not apply is for Enterprise groups, which - possibly - can have a different set of relationships, with a group owner, potentiall,y having the ability to prevent their members joining other groups.

Jeremy


moderated Re: Clarify Photo Album Owner Name #suggestion

Duane
 

On Wed, Feb 3, 2021 at 05:08 PM, Mark Fletcher wrote:
I've removed the album owner from the /photos page and instead it's now displayed when you view a specific album
But this doesn't resolve the situation where more than one person has added photos to an album.  The album creator is shown as owner until you open a photo.

Duane


moderated Re: Changing email address security issue #misc

Robert Oshel
 

Wouldn't having the system send an email sent to the original address (the one being changed) requiring a confirmation that the change to the new address is legitimate before the change goes into effect solve the problem?   The would-be hijacking moderator or owner wouldn't have any control over the original address, so he or she couldn't send a confirmation that the change is legitimate and the change wouldn't take effect.

   Bob


On Wed, Feb 3, 2021 at 8:01 PM Bruce Bowman <bruce.bowman@...> wrote:
On Wed, Feb 3, 2021 at 07:29 PM, J_Catlady wrote:
If they have your email address (assuming it’s really one of their own) they can request a login link and set one up. Right?
Correct.

Currently, a Premium group Owner can change any group member's address, log out, and subsequently request a login link to that address. That being so, anyone with $20 in their pocket and a few extra email addresses can set up a Premium group for a month and shanghai the accounts of everyone who joins it.

Restricting the vulnerability to such malfeasance to those who are neither Moderators nor Owners seems quite inadequate.

Regards,
Bruce


moderated Re: Changing email address security issue #misc

Sandi D <sandi.asgtechie@...>
 

On Wed, Feb 3, 2021 at 01:43 PM, Dave Sergeant wrote:
Nobody but the member himself should be able to change email addresses.
I would agree. Email addresses should be under the control of the person they belong to and not a third party.
 
--
Sandi Dickenson

1301 - 1320 of 29410