solved Using the old Ning profile data, and adding backup contact-address field in the user-account form

Today I could at last understand how to visualise the retrieved Ning profile data, by creating matching fields in the user-account form.

In the process, I created a new user-account field called "Backup contact method for use by Admin (optional)". This can be seen by Admin and the user, but will not be on the public profile page or user signup form.

For the Ning profile data that I wish members to be able to revisit and update, as private account data, I set the Display instruction to Normal Users (and other categories, though Normal may be the key category to use).

For the Ning profile data that I wish members to ignore, I set the Display instruction to Admin only.

For Ning profile data that is important for the signup process, so that I can judge applications, I put the old Ning field into the Account-Signup form.

All user data that I wish to be shown in the public profile page is collected using the profile create and profile settings forms (mostly in the latter, so that members do not have to face all the data collection when they first create a public profile) (perhaps it is better to put all the profile the fields into the profile create form as well).

At my site, the profile fields (mostly optional) are published in the sidebar using a template in the Profile module that JR people kindly set up for me.

Members will have to rebuild their public profiles manually, but a lot of their data is still visible to them, and to me, in the private user-account area. I thought previously this would be a problem, but I think it is good for my long-term members (ex Ning) to reassess what they want to show in the public profile when they come back to the site.

Perhaps I should end with a question. What is the best balance in use of the profile create and profile settings forms....

1. Place all fields in both?
2. Just a starter set in the create form and most in the settings?
3. Most in the create form and follow-up data collection fields in the settings?



--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)
updated by @researchcooperative: 01/16/17 01:15:21AM

Your site, your choice.

Personally I would think exactly the same fields in both. Cant think of a situation where I want the user to be able to add info, then not be able to update it.

The profile create form is only going to be usable by users who you allow to create extra profiles, like "Power Users"

Docs: "User: Power User"
https://www.jamroom.net/the-jamroom-network/documentation/jamroom-admin-handbook/2982/user#power-user

For users who get their profile when they create their user account by signing up, they will only ever see the UPDATE form.

Then, in most cases, we may need to make sure that all fields in the Create form are also present in the Update (settings) form. That way the ordinary member can edit all their account data.

But hold on! Is there a security issue here? Could someone sign up with fully valid appearing details, and then edit everything in order to give control of the account to someone else for whatever purpose they wish?

What is the minimum requirement to prevent this, or make it less easy to do?


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)

Not following how that is a security risk.

I signup with the username 'smiling_dog_205' then change my username to 'grey_fish_999'.

Outward appearance show everything ever written by smiling_dog_205 now written by grey_fish_999. How is that a security risk?

If you dont want them to change it, set it as admin only.

Hmm... I suppose it is only a security risk in the sense that if our access codes get in the hands of someone else, or are deliberately given to someone else, the profile could be changed, previous postings deleted, and the profile used in any way possible within the system... if no one is looking.

This is a general risk for any social network site, not specific to JR. It is why we try to vet our members before letting them join.

I will call this solved. Thanks.


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)

We do have the "2 factor authentication" module

Module: "2 Factor Authentication"
https://www.jamroom.net/the-jamroom-network/networkmarket/3/2-factor-authentication

Which, when you (or anybody) submits the correct login details for your account, instead of getting immediately logged in, you are sent an email with a code in it. You must then enter that code to complete the login.