MyVideoGameList/myvideogamelist.com

Fork

You've already forked myvideogamelist.com

Code Issues 45 Pull requests Projects 3 Releases Activity Actions

Add user privacy settings for profiles and user-owned pages #12

New issue

Open

opened 2024-01-14 14:19:54 -06:00 by jimmyb · 8 comments

jimmyb commented

2024-01-14 14:19:54 -06:00

Owner

Copy link

Users need privacy settings in Laravel so they can control who can view or interact with their profile-adjacent content.

The original issue listed privacy controls for profile comments, friend adding, profile viewing, list viewing, favorites, wishlists, and blogs. Later discussion explicitly rejected bringing back a “hide me from Recent Gamer Updates” option, so that feed opt-out should remain out of scope. In the current Laravel checkout, profile pages and profile comments exist, settings pages exist, and a legacy user_site_settings key/value table exists, but there is no dedicated privacy settings UI or enforcement layer yet.

Scope

Account settings privacy page/tab.
Dedicated user privacy settings persistence with default public behavior.
Profile viewing privacy.
Profile comment privacy.
Friend request/add privacy where friend actions are implemented.
List, Favorites, Wishlist, and Blog visibility where those public pages are implemented.
Authorization helpers/policies used consistently by controllers, views, and mutation routes.
No Recent Gamer Updates feed opt-out.

Acceptance Criteria

Authenticated users can manage privacy settings from account settings.
Privacy settings default to current public behavior for existing users.
Profile Comments supports Everyone, Friends Only, and No One.
Friend Adding supports Everyone and No One.
Profile Viewing supports Everyone, Friends Only, and No One.
List Viewing, Favorites Viewing, Wish List Viewing, and Blog Viewing each support Everyone, Friends Only, and No One where those pages exist.
Owners can always view their own profile, list, favorites, wishlist, and blog regardless of privacy setting.
Guests and non-friends are blocked from friends-only surfaces with the expected 404 or authorization response.
Hidden or blocked surfaces do not expose private content through page HTML, forms, counts, pagination, or mutation endpoints.
Profile comment forms and POST requests honor profile comment privacy server-side.
Friend action controls honor friend-adding privacy server-side and in rendered UI.
The app does not add a setting to hide users from Recent Gamer Updates.
User-facing UI supports light/dark mode and follows existing Laravel/Livewire/Tailwind settings patterns.

Test Coverage Required

Feature tests for viewing and updating privacy settings.
Feature tests confirming defaults preserve current public behavior.
Feature tests for profile viewing privacy across guest, owner, friend, non-friend, and no-one states.
Feature tests for profile comment form visibility and POST authorization across privacy states.
Feature tests for friend-adding privacy where friend actions are implemented.
Regression tests for list, favorites, wishlist, and blog visibility as those surfaces are rebuilt.
Regression tests confirming private content is not present in guest/non-friend HTML.
Regression test confirming Recent Gamer Updates still does not include a user opt-out setting.
Tests should use Pest and focused feature coverage.
Run the focused affected tests, then run vendor/bin/pint --dirty before closing the issue.

Progress Checklist

Public profile page exists
Profile comment rendering and posting exist
Account settings pages exist
Legacy user_site_settings persistence exists
Profile/header links reserve list, favorites, wishlist, and blog surfaces
Recent Gamer Updates opt-out was explicitly rejected in issue discussion
Add dedicated privacy settings persistence and defaults
Add privacy settings page/tab under account settings
Add privacy authorization helpers or policies
Enforce profile viewing privacy
Enforce profile comment visibility and posting privacy
Enforce friend-adding privacy where friend actions exist
Enforce list, favorites, wishlist, and blog visibility as those pages are rebuilt
Hide private content, forms, links, and action URLs from unauthorized viewers
Add tests for settings, defaults, authorization, hidden HTML, and mutation blocking
Confirm privacy behavior is consistent across public and authenticated surfaces

Users need privacy settings in Laravel so they can control who can view or interact with their profile-adjacent content. The original issue listed privacy controls for profile comments, friend adding, profile viewing, list viewing, favorites, wishlists, and blogs. Later discussion explicitly rejected bringing back a “hide me from Recent Gamer Updates” option, so that feed opt-out should remain out of scope. In the current Laravel checkout, profile pages and profile comments exist, settings pages exist, and a legacy `user_site_settings` key/value table exists, but there is no dedicated privacy settings UI or enforcement layer yet. ## Scope - Account settings privacy page/tab. - Dedicated user privacy settings persistence with default public behavior. - Profile viewing privacy. - Profile comment privacy. - Friend request/add privacy where friend actions are implemented. - List, Favorites, Wishlist, and Blog visibility where those public pages are implemented. - Authorization helpers/policies used consistently by controllers, views, and mutation routes. - No Recent Gamer Updates feed opt-out. ## Acceptance Criteria - Authenticated users can manage privacy settings from account settings. - Privacy settings default to current public behavior for existing users. - Profile Comments supports `Everyone`, `Friends Only`, and `No One`. - Friend Adding supports `Everyone` and `No One`. - Profile Viewing supports `Everyone`, `Friends Only`, and `No One`. - List Viewing, Favorites Viewing, Wish List Viewing, and Blog Viewing each support `Everyone`, `Friends Only`, and `No One` where those pages exist. - Owners can always view their own profile, list, favorites, wishlist, and blog regardless of privacy setting. - Guests and non-friends are blocked from friends-only surfaces with the expected 404 or authorization response. - Hidden or blocked surfaces do not expose private content through page HTML, forms, counts, pagination, or mutation endpoints. - Profile comment forms and POST requests honor profile comment privacy server-side. - Friend action controls honor friend-adding privacy server-side and in rendered UI. - The app does not add a setting to hide users from Recent Gamer Updates. - User-facing UI supports light/dark mode and follows existing Laravel/Livewire/Tailwind settings patterns. ## Test Coverage Required - Feature tests for viewing and updating privacy settings. - Feature tests confirming defaults preserve current public behavior. - Feature tests for profile viewing privacy across guest, owner, friend, non-friend, and no-one states. - Feature tests for profile comment form visibility and POST authorization across privacy states. - Feature tests for friend-adding privacy where friend actions are implemented. - Regression tests for list, favorites, wishlist, and blog visibility as those surfaces are rebuilt. - Regression tests confirming private content is not present in guest/non-friend HTML. - Regression test confirming Recent Gamer Updates still does not include a user opt-out setting. - Tests should use Pest and focused feature coverage. - Run the focused affected tests, then run `vendor/bin/pint --dirty` before closing the issue. ## Progress Checklist - [x] Public profile page exists - [x] Profile comment rendering and posting exist - [x] Account settings pages exist - [x] Legacy `user_site_settings` persistence exists - [x] Profile/header links reserve list, favorites, wishlist, and blog surfaces - [x] Recent Gamer Updates opt-out was explicitly rejected in issue discussion - [ ] Add dedicated privacy settings persistence and defaults - [ ] Add privacy settings page/tab under account settings - [ ] Add privacy authorization helpers or policies - [ ] Enforce profile viewing privacy - [ ] Enforce profile comment visibility and posting privacy - [ ] Enforce friend-adding privacy where friend actions exist - [ ] Enforce list, favorites, wishlist, and blog visibility as those pages are rebuilt - [ ] Hide private content, forms, links, and action URLs from unauthorized viewers - [ ] Add tests for settings, defaults, authorization, hidden HTML, and mutation blocking - [ ] Confirm privacy behavior is consistent across public and authenticated surfaces

jimmyb added the

component: user profiles

priority

medium

type: improvement

labels

2024-01-14 14:19:54 -06:00

jimmyb commented

2024-01-14 14:20:02 -06:00

Author

Owner

Copy link

I'd love to hear some feedback from @zerophoenix and @crunchn when y'all get a chance 😄

I'd love to hear some feedback from @zerophoenix and @crunchn when y'all get a chance :smile:

jimmyb commented

2024-01-14 14:20:11 -06:00

Author

Owner

Copy link

Originally posted by ZeroPhoenix.

I like this idea. It keeps the profile more private and personal.

Maybe add a 'block' list too? I would say that Only allow friends to comment on profile would take care of that but sometimes I like random comments you can get from people. lol

**Originally posted by ZeroPhoenix.** I like this idea. It keeps the profile more private and personal. Maybe add a 'block' list too? I would say that Only allow friends to comment on profile would take care of that but sometimes I like random comments you can get from people. lol

jimmyb commented

2024-01-14 14:20:18 -06:00

Author

Owner

Copy link

@zerophoenix I think that's actually another good idea, a block list. We could have a button on users profiles that shows for people logged in which would allow them to block them as well as a text box under the privacy tab which lists blocked people and where they can just add more.

jimmyb commented

2024-01-14 14:20:23 -06:00

Author

Owner

Copy link

I've updated the title on this one.

jimmyb commented

2024-01-14 14:20:30 -06:00

Author

Owner

Copy link

Alright, it's been a while since this issue has been updated. I want to use this comment to put together a more complete list of what things we should include in privacy settings:

Profile Comments - Everyone, Friends Only, No One
Friend Adding - Everyone, No One
Profile Viewing - Everyone, Friends Only, No One
List Viewing - Everyone, Friends Only, No One
Favorites Viewing - Everyone, Friends Only, No One
Wish List Viewing - Everyone, Friends Only, No One
Blogs - Everyone, Friends Only, No One

Of course there could always be more options so I am open to suggestions.

Alright, it's been a while since this issue has been updated. I want to use this comment to put together a more complete list of what things we should include in privacy settings: - [ ] Profile Comments - Everyone, Friends Only, No One - [ ] Friend Adding - Everyone, No One - [ ] Profile Viewing - Everyone, Friends Only, No One - [ ] List Viewing - Everyone, Friends Only, No One - [ ] Favorites Viewing - Everyone, Friends Only, No One - [ ] Wish List Viewing - Everyone, Friends Only, No One - [x] Blogs - Everyone, Friends Only, No One Of course there could always be more options so I am open to suggestions.

jimmyb commented

2024-01-14 14:20:37 -06:00

Author

Owner

Copy link

Originally posted by v

Please add an option to opt out of showing up on the "Recent Gamer Updates" activity feed. It's the main reason why I haven't sign up yet. I'd prefer not to have my activity broadcasted publicly like a social media website.
Thanks.

**Originally posted by v** Please add an option to opt out of showing up on the "Recent Gamer Updates" activity feed. It's the main reason why I haven't sign up yet. I'd prefer not to have my activity broadcasted publicly like a social media website. Thanks.

jimmyb commented

2024-01-14 14:20:46 -06:00

Author

Owner

Copy link

@vglist This was previously an option but removed as this is a social site and we want people to be able to find others playing and enjoying the same games. We will not be adding this back in.