Possible security leak? : notes in RSS feed but not in website library

I see my notes in the RSS feed of my library but not in the website presentation level.

I have logged out to ensure I am seeing the "public" view.

I have 'publish my library' turned on,
'publish my notes' turned off.

Or at least I would call them notes, they are not the "notes" table of each item, but the full-text comments allowed against each attachment. That's where I normally store my notes.

Is this a security error?

For example,

Attachment, but no notes:

Feed, with notes ('note' field):
https://api.zotero.org/users/33673/items, scroll down until you see 'http://zotero.org/users/33673/items/152514213'
which is a link from http://www.zotero.org/willsmithorg/items
  • This sounds like a confusing aspect of the Zotero terminology. This is likely an oversight, and I'm not sure how this should be interpreted and addressed.

    The text field in the right column for attachments is not what Zotero calls a note -- notes are stand alone or child, and this is neither. That said, this text field looks just like the one for stand alone and child notes, so there's no reason for you or anyone to assume that the "Publish my notes" option does not include it.

    This isn't a security leak, however. It's an unclear description of Zotero's functionality that could lead to some people unknowingly making some of their comments public. The description or behavior need to be adjusted.
  • Yes, this behavior probably needs to be adjusted to be in line with user expectations. The API currently checks access only on the item level, but in this case it will have to check on the field level as well. This will take a little work, but we'll try to get to it soon.
  • Hi!

    I was wondering if any schedule has been put on fixing the notes showing up in the rss feeds.

    I still have item:notes 'note' coming through on my zotero library rss feeds. I was previously scrubbing them out using yahoo pipes, but pipes was shut down last summer. In yahoo pipes I was applying a script to delete/remove the 'note' divs from the rss feed (to pass on to another service to post on twitter). I was also doing a little formatting/cleanup to make it look more like a tweet.

    Any recommendations for replacements for pipes from folks working with the rss feeds from zotero libraries? FeedsAPI looks nice, but is kinda pricey.
  • I also wanted to comment:

    In my experience with teaching academics how to use bib ref mgmt software: they don't mind sharing references and bibliographies widely & publicly, but consider their notes to be private and/or personal intellectual property. Most of the faculty I've worked with didn't want their notes being shared outside the research group, and would be especially upset to learn that their notes could be aggregated into a data dump via public rss feeds and/or api's.
  • Follow-up: dlvr.it (the service I use for propagating rss items to twitter) now includes some rss filtering and feed adjusting tool buttons that allow one to exclude items with specific text from the feed.

    So within dlvr.it I configured the feed delivery to exclude all items with the 'item:note' field e.g. [api:itemType]note[/zapi:itemType] (but you'd need to reformat this text as the comment box system excludes anything with <> angle brackets).
Sign In or Register to comment.