Inappropriate Permissions

[AileneRHerrick]

Just today, I noticed that I had the option of showing the record number of anyone in the directory. I am the ward website administrator, but I am not a clerk. It doesn't seem like I should be able to view such sensitive information. Just want to make developers aware!

[jdlessley]

I noticed the same thing and made an inquiry In the Directory 2.1 Update Released thread as to what constitutes a unit leader. I guess when there is a response in that thread then we may know who is intended to see the MRN. I welcome this capability to view the MRN to assist members with LDS Account registration or issues. If it was unintended then it will disappear once they recognize who has the permissions to see this.

[AileneRHerrick]

I welcome this capability to view the MRN to assist members with LDS Account registration or issues.

I thought of that too. That would be handy.

However, since the developers have elected not to give me the ability to edit email addresses and such things from the directory (since I'm not a clerk), I figured they would also not allow me to view more sensitive information.

[mevans]

However, since the developers have elected not to give me...

It's not "the developers" who are making such choices. The Priesthood Department decides what we see in these tools, including who has permissions to do what. Generally, we get no explanations of decisions that are made. Occasionally we get some glimpses of what goes on internally. At the end of the day, someone has to make a decision about what they want the developers to create, and most likely everyone internally isn't happy with every decision.

It's not that dissimilar to the patterns you see with other software companies. Some are more open with their decision making process, but many are not, and as a user of a product or service you may be left wondering why a company chose to do something the way they did.

[russellhltn]

It's not "the developers" who are making such choices. The Priesthood Department decides what we see in these tools, including who has permissions to do what.

No disagreement, but the question is, is this a bug or a decision? My uninformed vote is "bug".

Given the potential security issue, I've emailed a Directory contact.

[AileneRHerrick]

No disagreement, but the question is, is this a bug or a decision? My uninformed vote is "bug".

That's what I'm saying. I'm not saying a decision was made and that I disagree with it. I'm saying that I think when they were programming, a mistake was probably made that gave me access to information that I'm probably not intended to have access to. If this is indeed the case, then it would need to be remedied as soon as possible.

Is this the right place to post this where the right people will see it?

[russellhltn]

I've sent off an email with my last post. We'll see what kind of response we get.

[aebrown]

It's not "the developers" who are making such choices. The Priesthood Department decides what we see in these tools, including who has permissions to do what.

No disagreement, but the question is, is this a bug or a decision? My uninformed vote is "bug".

The particular issue that mevans raised is most definitely not a bug. He was responding to "the developers have elected not to give me the ability to edit email addresses and such things from the directory (since I'm not a clerk)." We have abundant evidence that this was a specific choice.

The issue mentioned in the original post (where a non-clerk website administrator has "the option of showing the record number of anyone in the directory) is a different question. I would tend to agree that this was an oversight in applying permissions to this new feature, and thus is a bug.

[AileneRHerrick]

The particular issue that mevans raised is most definitely not a bug. He was responding to "the developers have elected not to give me the ability to edit email addresses and such things from the directory (since I'm not a clerk)."

Whoops, now I see that! Thanks for clarifying. And in response to that... I know, but I guess I consider the men with the priesthood authority to be part of the developers, even though they're not doing the actual programming. I guess that's why I misunderstood the response.

Anyway... I guess I can consider the "bug" reported.

[johnshaw]

I have a hard time believing that the 'priesthood leaders' are actually making the assignment, but rather giving general direction to allow appropriate access to the appropriate individuals based on their callings and handbook assignments. When a question arises that might be ambiguous, I can see that going up for a decision. The current https://leader.lds.org grants access to Stake Executive Secretaries access to Clerk areas of responsibilities, according to tradition, assignment and the handbook. However, I can see where some in the department might say, well in my stake the ExecSec does that and it gets written into code because nobody else has that experience.

The reason I believe this is that it takes very little time during the beta cycles to make changes like that as we notice them as a community, however, after something goes live.... it takes a very long time, in fact, programmers would avoid going back to make changes by providing interesting justifications for why it's there rather than run it up the chain... Those decisions take a long time.

Again, by way of observation and deduction only... the above may not reflect reality at all.