Share settings should not auto-apply. This is a security and QoL issue

Steps to reproduce

1. Open a shared list’s share settings
2. Make any changes

Expected result

Nothing should happen until you press “apply”

Actual result

Any change, including sharing the list or removing yourself from share, is applied instantly.

Environment

Windows 10, electron app, Dynalist 1.0.39

Likely affects all web/desktop environments.

Additional information

Some of the immediate issues with this:

1. Removing your management privileges on a shared list. No ability to undo, you must ask someone else to re-add you.

2. Sharing the list. Checking the box for a second could leak your entire list to anyone paying attention, such as Google Analytics, Mixpanel, and Crazy Egg, who all know the URL of your dynalist the moment you open the page, due to having their content embedded.

Sorry but I don’t see how this is a security problem…

Are we talking about accidental mistakes or intentionally removing yourself from the collaborator list?

We use these analytics service for our own purposes to improve Dynalist, and if they abide by their terms of service they won’t spy on what URL you’re accessing. So if you check the box for a second and uncheck it, I don’t think anyone would know about it.

I think for the level of security you’re looking for, a self-hosted service is probably better. And any sharing is dangerous because the other collaborators’ computers might be compromised too.

Just my 2 cents!

Yes, I’m talking about unintentional clicks, or even intentional clicks the user doesn’t intend to save. Security settings should never automatically apply.

I’m aware of the use of analytics software and I wasn’t complaining. I’m aware Dynalisy doesn’t market itself as secure or private, and I don’t expect it to be, but I do have a basic expectation of my data not being shared. Correct me if I’m wrong in that expectation and I will move on.

Do you have Google Analytics’ privacy features enabled? If so, that handles them to a reasonable degree, but I have no trust in the other two let alone in the security-by-obscurity that having an obscure URL supposedly provides.

Regardless of my security concerns, it is definitely not good UX.

Your content data is not shared. The actions in app (which button you click) are gathered by the third party apps, but they shouldn’t make use of that information other than storing it and displaying to us for internal use only. In an ideal world we would love to custom build everything from analytics to error reporting to avoid passing them to the third parties, but with a team of two that’s just not possible. Sorry about that.

Not sure what you’re referring to. Under the “Data sharing settings” we have opted out to share any analytics data with Google.

Honestly when building the sharing interface we naturally looked at how others do it. Most newer services apply changes instantly, including those with at least UX that’s perceived to be not that bad (I’m referring to Dropbox and Notion).

I believe it partly has something to do with making everything responsive and cut unnecessary steps. So unlike you having to press “Save” or “Apply” like in those Windows setting dialogues, everything is automatically saved and applied, just like in preferences you don’t need to press “Save” to preview each theme. But this brings new problems for some people like the ones you mentioned.

Anyone else got any opinions on this?

As I said, I don’t object to your use of analytics software.

Yes, those are the settings I was referring to. Thank you for clarifying the settings.

I absolutely agree that most settings should apply instantly, this is only meant to talk about sharing settings.

An alternative might be to confirm any change that would result in the current user losing the ability to change those settings, and another confirmation when making a list public.

Confirmation for critical actions like deleting yourself sound like a more reasonable approach. Sharing is one of the oldest component in Dynalist and is due for a makeover soon. We’ll be sure to incorporate your input while redesigning it, thanks!