BuddyPress

I just realized that when logged out, the activity stream for private groups is displayed!
This is a serious security concern!

Private is basically read- and invite- only. http://codex.buddypress.org/getting-started/group-settings-and-roles/

if you want to modify that behavior you can edit the theme files which i did for my community. users browsing the page don’t see anything unless they register. i used the wordpress-function is_user_logged_in()
files to consider:
/wp-content/plugins/buddypress/bp-themes/bp-default/activity/activity-loop.php
and to hide the rss-button (private groups still in rss if you know the link or browse the source code – but users not logged using the site don’t see anything):
/wp-content/plugins/buddypress/bp-themes/bp-default/activity/index.php

@djpaul, from the BP website: “Private groups are also visible in group directories. The group name and group description remain available for all to see. However, the contents of the group are accessible only to members….” This is not how it works in 1.5.1 – it must be a bug?

@wiking thank you for the workaround, but I would like a more bullet proof solution as I am using BP for professional purposes…

Either a bug with the code or a bug with the description.

I am having this issue – Private Groups are showing up to logged in users, under the ‘my friends’ tab in the activity stream, even though they themselves are not a member of the group that is private!! I am using BP for a paid membership site, please help, this is a hole in the privacy….

I removed the ‘all members’ activity stream option/tab from my theme, so I don’t have to worry about that, but still…private group activity shouldn’t show up there?!

I can’t reproduce either issue on my local installations.
– Hidden/private group activity does not show for logged-out users
– Hidden/private group activity does not show on the Friends activity tab

Are either of you running plugins that affect the way that activity works? Or is there something in your custom theme that modifies the activity loop?

This is even WORSE…

-Hidden/private group activity DOES show for logged-out users
-Hidden/private group activity DOES show on the Friends activity tab

I’m using Themekraft CCPro as well as S2member.
Also using BP Forums Extras: View activity comments on forum posts
Activity Bump.

I’ve made no modifications to activity-loop.php.

For the moment, I can restrict activity for not logged in users by using s2member’s uri restrictions, but this is just a patch, there’s something funny going on here.

Daisy

PS as an aside, I can’t access any forum topics I’ve started or replied to through my profile page *on this site*. Also can’t post activity updates or private messages to anybody. Can’t access forum replies via the menu at the very top of the page either.

Can you switch to bp-default to see if the problem persists?

In bp-default, the problem persists.

I’m still following this, any update?

Boone Gorges, or anybody else, is there an update on this? PLEASE let me know, this is a serious issue

I’m unable to reproduce the problem. Without being able to reproduce, I’m afraid there’s nothing I can do.

Perhaps you can try installing a fresh installation of BuddyPress somewhere else, and then attempting to reproduce the issue. Take careful notes of the steps required to reproduce, so that you can share them with the team.

I think I figured out my problem – the groups WERE set to public, and when I set them to private, the hide_sitewide value in the SQL database didn’t get changed.

So, now I need to change ALL those values from 0 to 1. What SQL statement do I run to do this?

And, is there a plugin or update to get it so that when the status of a group changes from public to private, all the posts ARE switched from 0 to 1?

Never mind, figured out the SQL statement, set all activity to hide_sitewide=1

PHEW! It’s not clear, btw, that setting groups to private doesn’t change this setting, I had to dig and dig and dig. Really, don’t you think it SHOULD? If you set a group from private to public, I can see it not being retroactive, but if it’s going from public to private, imo it should ALL go private.