Skip to:
Content
Pages
Categories
Search
Top
Bottom

All site data visible to members and non-members alike

  • Avatar of Tyler Regas
    Tyler Regas
    Participant

    @tylermobodojocom

    I’ve been poking around for some time and I’m a little surprised that not one person has been confused by the complete lack of security in BuddyPress. I have started a closed beta program for a project I’m working on for the Autism community. Without going into a lot of detail, the Autism community requires strong security. Facebook offers their version of security in that you need to be logged in and a friend in order to see someone’s profile information. All social systems I have seen and/or worked offer a choice about what you want to make public facing or only for approved individuals.

    BuddyPress offers no such protection at all. Nothing. Everything I can see while logged in as admin I can see by not logging in and simply clicking around. I’ve been using WordPress for 5 years now and, while I’m new to WPMU and BuddyPress, I know that there are no options for managing who gets to see what and under what circumstances. This would seem to me to not only be a critical aspect of any social network, but also a rather simple one to implement. Then again, I’m no coder. I’m just a weekend hacker with lots of sysadmin experience.

    Regarding my audience, there’s no way I can let people put in their personal information and let some random asshat walk in and read it, or worse, act on the personal and identifying information they find there. That’s just not possible.

    Is there something I’m missing? Some people tell me I’m smart, but I rarely believe them, so its very possible I’ve missed something obvious.

    Help?!

Viewing 22 replies - 26 through 47 (of 47 total)
  • Avatar of Windhamdavid
    Windhamdavid
    Participant

    @windhamdavid

    @tyler ~ I’ve now built two similar ‘medical related’ sites where the privacy was of utmost concern and I used my code from above beautifully. You could drop the plugin and the secondary install and just use that for any pages you want to keep private from both unregistered users and spiders/robots.

    Avatar of Jeff Sayre
    Jeff Sayre
    Participant

    @jeffsayre

    So, how many people are employed by Auttomatic to work on this project?

    One. Andy.

    I’ve been poking around for some time and I’m a little surprised that not one person has been confused by the complete lack of security in BuddyPress.

    You need to poke around a little more. ;)

    http://buddypress.org/forums/topic/privacy-1

    http://buddypress.org/forums/topic/privacy

    http://buddypress.org/forums/topic/buddypress-privacy-component-an-update

    Also, privacy is on the BuddyPress roadmap.

    As Andy states, implementing privacy in BP or any social network is not an easy task. I am working on updating my older privacy component to work with BP 1.2 and WP/WPMU 2.9.x. It will be awhile longer before I have a working alpha for testing. But, privacy is coming to BuddyPress!

    Avatar of andrew_s1
    andrew_s1
    Participant

    @andrew_s1

    I’ve submitted a ticket for the issue of wp-login not being registered as a root_component:

    http://trac.buddypress.org/ticket/2074

    There’s a patch attached to that ticket, to make the necessary changes to bp-core.php

    And here’s my revision of the lockout plugin:

    <?php
    /*
    Plugin Name: BuddyPress Lockdown
    Plugin URI: http://buddypress.org/
    Description: Lock down your BuddyPress site if a user is not logged in.
    Author: Andy Peatling & Andrew_S1
    Version: 1.1
    Author URI: http://buddypress.org/
    Site Wide Only: true
    */

    function bp_lockdown() {
    global $bp;

    if ( BP_REGISTER_SLUG != $bp->current_component &&
    BP_LOGIN_SLUG != $bp->current_component &&
    BP_LOGIN1_SLUG != $bp->current_component &&
    !is_user_logged_in() ) {

    bp_core_redirect( site_url( BP_LOGIN_SLUG ) );
    }
    }
    add_action( 'bp_init', 'bp_lockdown');
    ?>

    Avatar of andrew_s1
    andrew_s1
    Participant

    @andrew_s1

    Note that using this method, if buddypress became deactivated, all of your site’s posts, and the comments, would become completely visible.

    Avatar of andrew_s1
    andrew_s1
    Participant

    @andrew_s1

    Code revised to give protection even if buddypress gets deactivated: adds a second line of defence by hooking a wordpress action too. I’ve assumed that there’s no conflict here, but I don’t know if these two hooks collide. It seems to work ok.

    <?php
    /*
    Plugin Name: BuddyPress Lockdown
    Plugin URI: http://buddypress.org/
    Description: Lock down your BuddyPress site if a user is not logged in.
    Author: Andy Peatling & Andrew_S1
    Version: 1.2
    Author URI: http://buddypress.org/
    Site Wide Only: true
    */

    function bp_lockdown() {
    global $bp;

    if ( BP_REGISTER_SLUG != $bp->current_component &&
    BP_LOGIN_SLUG != $bp->current_component &&
    BP_LOGIN1_SLUG != $bp->current_component &&
    !is_user_logged_in() ) {
    bp_core_redirect( site_url( BP_LOGIN_SLUG ) );
    }
    }
    function wp_lockdown() {
    if ( !is_user_logged_in() ) {
    auth_redirect( 'wp-login.php' );
    }
    }

    add_action( 'bp_init', 'bp_lockdown');
    // if no buddypress, have a backup plan
    add_action( 'send_headers', 'wp_lockdown');
    ?>

    Avatar of Tyler Regas
    Tyler Regas
    Participant

    @tylermobodojocom

    @Windhamdavid ~ I believe that you’ve made some code changes along the way in this thread. Would you mind aggregating that into a single block of code so I don’t miss anything, please?

    Thanks!

    Avatar of Tyler Regas
    Tyler Regas
    Participant

    @tylermobodojocom

    @Jeff Sayre ~ A brain fart prevented me from searching for the keyword “privacy” as opposed to the “security” keyword I used. Thanks for pointing out those threads.

    Avatar of Jeff Sayre
    Jeff Sayre
    Participant

    @jeffsayre

    @Tyler Regas-

    Haha! No problem.

    Privacy, permissions, authorization, ACL (access control list), and even security could all be used to describe this topic. So, I understand.

    Suffice it to say, this issue is being worked on, it will just be a little while longer.

    Avatar of Tyler Regas
    Tyler Regas
    Participant

    @tylermobodojocom

    I have to say that I’m glad to see that the community around BP appears to be very strong, and that’s good thing. I’ve always tried very hard to advocate for open source, and have done so for over a decade now. I plan on advocating more for WordPress, BuddyPress, and bbPress, as well as the WordPress Foundation through my Autism site. I take exception to those who talk about being able to tell when a site is based on WordPress. Of course, its up to the designer of the site whether or not they will fly that flag, and I’ve long ago decided that I would let everyone know what I was using to get things done. I’ve been running Mobodojo on WP since 1.2.

    Sadly, though, I’ve been growing accustomed to the automagical nature of WP and have stopped using themes which need to be tweaked every time the code base gets updated (though Atahualpa and Arras are stunningly powerful themes) as well as counting on plugins to do everything I need. The deficit lies in the fact that I’m hopeless when it comes to coding. Sure, I can edit existing PHP and even make it work 13% of the time, and I’ve been hacking around HTML for years, but there are things I need to have my site do, and so I’ll need to buckle down and either find out a way to do it myself or pass along my passion to someone (or someones) who have the skills.

    I realize that my opening post sounded upset, and I was, but that frustration should never have been vented on the BP community. I do thank you all for making some mild fun of me and, otherwise, being very cordial and helpful. I’m also pleased with myself to have managed to spark a little bout of debugging :)

    The site is phrind.com. If you aren’t a member, you will be redirected to blog.phrind.com.

    Avatar of Peterverkooijen
    peterverkooijen
    Participant

    @peterverkooijen

    Tyler Regas, totally agree with your criticism.

    I believe the problem is BP/WPMU is entirely programmer-driven. There are no usability experts or project managers involved who look at it from a business requirement perspective, so new interesting features always seem to get priority over boring and difficult things like security/privacy.

    Flame away regulars! Just my 2 cents. Don’t blame Tyler, who went out his way not to offend.

    Avatar of andrew_s1
    andrew_s1
    Participant

    @andrew_s1

    There’s a trac ticket with a patch for bp-core.php, and a reworked version of Andy Peatling’s plugin, just here: http://trac.buddypress.org/ticket/2074

    Avatar of andrew_s1
    andrew_s1
    Participant

    @andrew_s1

    There’s a trac ticket with a patch for bp-core.php, and a reworked version of Andy Peatling’s plugin, just here: http://trac.buddypress.org/ticket/2074

    Avatar of andrew_s1
    andrew_s1
    Participant

    @andrew_s1

    Grrr, my posts to this thread aren’t appearing here. Please check my activity stream to see what I wrote earlier!

    Avatar of ajohnson
    ajohnson
    Member

    @ajohnson

    Found a huge problem with this (or though it seems)

    Whenever you create an account, the link to activate your account in the activation email won’t let you it through because of the redirects. Anyone else having this problem?

    Thanks for the help and the great plugin. A small but mighty one!

    Avatar of andrew_s1
    andrew_s1
    Participant

    @andrew_s1

    What does the link in the activation email look like? What’s the “.php” bit of the URL, specifically? (is this in WPMU?)

    Avatar of ajohnson
    ajohnson
    Member

    @ajohnson

    it looks something like this on WordPress (not MU) install running BP 1.2.1-

    http://domainnname.com/activate?key=f0cae3781ec82827

    Avatar of jharder
    jharder
    Member

    @jharder

    I just wanted to add my own low-tech solution to a similar situation. This is what I did to hide all my BuddyPress features (members, activity, etc) while keeping my pages and blog posts publicly accessible…

    In my child theme, I copied the members/index.php, activity/index.php(etc etc) folders and files. Then in the index files, I surrounded everything inside the “padder” div (which displays all the content) with a is_user_logged_in tag like this:

    <div class=”padder”>

    <?php if (is_user_logged_in()){ ?>

    (content guts go here)

    <?php } else { echo “<h3>Members Only!</h3><p>Sorry. The page you have requested is for registered members only. Please visit our About page for more information on member registration. Thank you for visiting.</p>”;} ?>

    </div>

    PHP isn’t really my thing, so that’s probably not the best way of doing it, but it worked.

    Avatar of aine
    aine
    Participant

    @aishing

    Hi Im new here and am not a developer…so please bear with me!

    @jharder Ive tried your ‘hack’ but cant get it to work. Im sure its because Im putting it in the wrong place (as I said Im not a developer). Can you please be so kind as to tell me EXACTLY where you put the code on the copied the members/index.php, activity/index.php(etc etc) folders and files. I want my Members and Activity area to be only viewable to logged in users.

    Thanks so much.

    This privacy thing is doing my head in. :)

    Avatar of r-a-y
    r-a-y
    Moderator

    @r-a-y

    Avatar of aine
    aine
    Participant

    @aishing

    @r-a-y thanks for this and I have seen this code before and tried it several times but I cant get it to work…I know its me….Im just not putting it in the right place on the functions.php page. Ive put it at the very start of the page. For example:

    function sh_walled_garden()
    {
    global $bp;

    if( bp_is_register_page() || bp_is_activation_page() )
    return;

    if( ! bp_is_blog_page() && ! is_user_logged_in() )
    bp_core_redirect( $bp->root_domain .’/’. BP_REGISTER_SLUG );
    }
    add_action( ‘get_header’, ‘sh_walled_garden’ );
    /* Stop the theme from killing WordPress if BuddyPress is not enabled. */
    if ( !class_exists( ‘BP_Core_User’ ) )
    return false;

    /* Register the widget columns */
    register_sidebars( 1,
    array(
    ‘name’ => ‘Sidebar’,
    ‘before_widget’ => ‘

    ‘,
    ‘after_widget’ => ‘

    ‘,
    ‘before_title’ => ‘

    ‘,
    ‘after_title’ => ‘

    blah blah……….

    Is that correct? Because when I do this I get an error reading.

    I just need to know “exactly” where to put it on the page. For example put it between “x” and “y”.

    Thanks for getting back to me promptly though…appreciate it.

    :-)

    Avatar of r-a-y
    r-a-y
    Moderator

    @r-a-y

    @aishing – Try putting the code after the register_sidebars code in your theme’s functions.php. Then see if you get an error. Can you please paste the error if you get one?

    Btw, you should be creating a child theme to add custom code snippets, otherwise when you upgrade BP, you’ll lose your changes.

    Avatar of aine
    aine
    Participant

    @aishing

    @r-a-y thanks so much and will do.

Viewing 22 replies - 26 through 47 (of 47 total)

You must be logged in to reply to this topic.