Mash, first impressions
So Yahoo! Mash is now in (semi?) public beta. It's interesting to play with... obviously not quite finished yet, but there are some very clever bits in there. It's somewhere in between Facebook and MySpace; it looks a lot like MySpace, but with widgets and the promise of a 3rd party API for application development.
The clever "new" idea here is making everything editable by everyone. Luckily there are privacy controls, so you can turn this feature off if you don't like it. It's nice to see this sort of thing coming back; it's what everyone was doing back in 2002, but then the spammers came, and most things since have been pretty much read only to anyone but the page owner. Being inside a social network, you have more control now. It's not at the trust metric point yet -- edit rights can only be granted to / revoked from coarse groups that you have selected ("Everyone", "All Friends", "Some of my Friends") -- but the door is open to allow things like "Allow people my friends trust to edit their profiles to edit mine too" in future.
Familiar things
Snooping on the AJAX traffic with Firebug, it feels very familiar after working on our own widgetization system (where we can include bits of the PeopleAggregator UI as server-side widgets in other people's websites). It'll be interesting to see if Mash goes in that direction - providing social networking components for other Y! properties - or whether it's trying to be a platform, a separate site, to give Yahoo! more space to sell ads.
At first I thought several of the modules (the main ID block, About Me, and My Stuff) were built around a general purpose key-value profile store + API, but on closer inspection it seems that there are actually several different ways to do more or less the same thing.
When updating the "About me" block, Mash does a POST to /ws/profile?action=update&owner=your id parameter&ws=1&rand=random number with key=profile key and value=value of profile item, among other things. This returns a small JSON object containing the new rendered HTML for that profile line.
[[ For hackers: The keys for the default questions are: animal, best, celebrity, doing, future, hobbies, movie_character, music, nicknames, say, something, soundtrack, style, talents, unique, words. Creating a new field called "New Field" makes a key called New_Field. Creating a second field called New_Field overwrites this; I guess the field name you provide gets stored as a label and munged into a key name as well. (So don't make a field called "animal" or you'll lose the first question, etc...) ]]
Changing your name or quote, on the other hand, uses a different service: /ws/coreid, to which you just post nickname=new name, or tagline=new quote. This returns a JSON object with all your details.
Then there's another way of doing it, for the My Stuff block. Clicking 'Edit' makes a GET request to profile.php?action=edit&module_id=mystuff&...etc..., and posting the form that appears POSTs back to profile.php.
Tagging uses yet another method: everything POSTs to /get_component.php, which returns more JSON containing HTML.
I guess what's happening here is that the 'tags' block is using their prototype 3rd party dev API (this is the bit that reminds me of PeopleAggregator's protocol -- we have other websites routing everything via /widget_dispatch.php), whereas the main ID block and About Me are baked in and use builtin web services. Not sure what's going on with My Stuff; perhaps this was an earlier attempt at the 3rd party API?
Bugs and nitpicks
The only really annoying thing about the site is its slowness... the AJAX popups have too many round trips, and there aren't any spinners, so if nothing happens when I click on something, I don't know whether my click didn't register, or if I just have to wait a bit longer. Mash's AJAX person, if you're reading this, please see if you can preload things like the 'add X as a friend' popup. It's encouraging to see that the "Grab it!" buttons' popups appear immediately, so hopefully this is probably an item on somebody's to-do list already.
Bug: The Blog / RSS feed module's HTML sanitization is a little messed up. It looks like it grabs the first 130 characters of the post, adds the timestamp, then sanitizes afterwards, whereas it should be sanitizing the first 130 characters, then adding the timestamp. It screwed up on my preforking Rails server post, resulting in an invalid <a> tag around the timestamp, and no </div> after the post summary.
Feature request
This would be the perfect place to implement Dave Winer's relationship tagging idea -- it would fit in very well with the whole editable/taggable feel of the rest of the site.