Comment by gejose

2 days ago

Love Obsidian but I've previously commented about the security model for plugins here: https://news.ycombinator.com/item?id=45308131. TLDR: your entire vault (and possibly filesystem) is exposed to every single plugin you install.

I really do think Obsidian needs 2 things to have any reasonable security:

1. It needs to be a lot more batteries-included. A user shouldn't need a plugin for basic functionality.

2. It needs a granular permission system, where each plugin should have to declare and prompt you to allow or reject specific permissions, just like on iOS and Android. The system should enforce that a plugin cannot bypass this.

7 comments

gejose

Reply
criddell  2 days ago

> A user shouldn't need a plugin for basic functionality.

What functionality are you thinking of? I just looked and I've never enabled community plugins.

My Obsidian complaint is the opposite. I think its bloated well beyond the initial premise of a markdown editor over a directory of files. I think it was just about perfect right before the introduction of the Canvas feature.

kepano  2 days ago

> More batteries-included

Can I ask, what basic functionality is Obsidian missing in 2026? (I work on the app)

  • gejose  2 days ago

    Hey kepano, really love the work you're doing!

    Here are some feature I wish existed in Obsidian without any plugins:

    * Dataview [1] (this is now solved with Bases, so I really appreciate that)

    * Folder Note [2] (I, and I assume many others come from Notion, and I wish this were a thing)

    * Recent files [3]

    * A built in calendar [4]

    * Link embeds [5] (or something to store previews for pasted links)

    * Waypoint [6], or something to create a table of contents

    These are just things I wish existed, but whether or not these are 'basic' can be debated. Ultimately I do wish there were a robust permission system for plugins so that personal functionality gaps can be plugged, but without compromising safety.

    References: [1] https://blacksmithgu.github.io/obsidian-dataview/ [2] https://github.com/xpgo/obsidian-folder-note-plugin [3] https://github.com/tgrosinger/recent-files-obsidian [4] https://github.com/liamcain/obsidian-calendar-plugin [5] https://github.com/Seraphli/obsidian-link-embed [6] https://github.com/IdreesInc/Waypoint

    • twentyfiveoh1  2 days ago

      I had a recent files plugin but bases let me remove it.

      I have a "system" base that I put on the ribbon. it defaults to "recently created", but I have a bunch of different views for hunting down anomalies too.

  • anmr  2 days ago

    There are many essential features missing that should be included in the core app for security, compatibility, longevity and for the benefit of new users who prefer to stay clear of plugins.

    1) Basic functional search

    Search should handle different order of words, misspellings (fuzziness), offer indexing and searching in a larger scope than just titles and aliases (e.g. headers or content), as well as allowing users to customize search priorities. Basically - just include Omnisearch as a core plugin.

    2) Basic image preview

    Displaying an image on full screen, with panning and zoom, when clicked upon.

    3) Full "folder notes" support

    Out-of-the-box support for a vault structure where each note has its own dedicated folder where all its attachments are placed. While the basic functionality is present, an external plugin is required to declutter the vault file hierarchy and actually make this approach feasible. Folder notes approach is in my opinion the only way to keep a large vault organized.

    4) Basic formatting.

    Text coloring. Text alignment and justification. Basic image positioning. Proper text flow wrapping around images. Table formatting (at least a setting minimum column width).

    5) Markdown parsing within HTML tags

    Basics Markdown features like [[linking]] don't work within a section of text enclosed by HTML tags. And using HTML/CSS is currently required to achieve basic formatting like centered or colored text.

    6) Option to use the first h1 tag as the note title

    I'm talking about actual support for this and integration with core functionality like search and linking. Useful (sometimes long) titles are an essential part of note-taking and knowledge databases. Meanwhile, filenames are simply semi-unique file system identifiers. Forcing users to use filenames as titles compromises the usefulness of titles and leads to issues with filename / filepath length. In HTML and Markdown, the h1 tag was always intended for the title.

    7) Consistent formatting between reading view and editing view

    Rendering of content, especially vertical spacing between elements differs between those views for no credible reason. The code syntax highlighter is also deficient in editing mode, despite it being the mode in which Obsidian users spend 99% of their time while writing, editing and reviewing notes.

    It's not an exhaustive list, but these are the biggest pain points right now. And let me repeat - you shouldn't continue to rely on community plugins for these features. Even though community plugins are great, they are a security concern, their development could cease at any point, and new users don't know about them.