Skip to:
Content
Pages
Categories
Search
Top
Bottom

Hidden group posts visible to all

  • Avatar of kenrichman
    kenrichman
    Participant

    @kenrichman

    I looged in as admin, created a hidden group, added some posts to the forum, made one a favorite.

    Then logged out.

    While logged out I looked at my member profile, clicked on favorites, and there was my post, where it could be read by anyone. Also displayed was the hidden group name and hidden topic name.

    I need this fixed as the site cannot go live leaking like this. Help please!?

Viewing 11 replies - 1 through 11 (of 11 total)
  • Avatar of aces
    aces
    Participant

    @aces

    I just tried out something like that and agree that it is a secrecy leak.

    I am using the walled_garden technique to block non logged in users from viewing members or activity pages so they couldn’t see anything there but if logged in but without being a member of that group they can see too much information…

    It seems that favouriting a secret group topic is not a good idea….

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    There have been issues with ‘Hidden Groups’ and leaking of group activity in general to the wider site, I raised a ticket on one major flaw a while back but sounds as though a further ticket might be required.

    To get this ‘fixed’ you will need to raise a ticket on the trac system please detailing steps to re-create and versions you are using, this way a core developer will get around to testing this and prioritizing the ticket for attention. You can log in to the trac using your BP credentials.

    Edit// Can confirm, marking a topic as ‘favourite’ does display this piece of data to site members who are not members of the hidden group, they can navigate to members profile and check members ‘favourite’ listing, they can also mark that item as a ‘favourite’ for their own listing. In all other respects previous issues appear ok and cannot see the hidden group or it’s data elsewhere nor can I, as non joined member see that ‘favourite’ topic in any further detail. WP 3.* / BP 1.2.6

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    One possible fix or workaround might be to remove ‘favourites’ from public screens i.e only display this if logged in user is equal to displayed user.

    imho a lot of a members account/profile information is essentially private to them, I do not really need to see another members favourite list.

    Trac ticket please

    Avatar of kgjerstad
    Kim Gjerstad
    Participant

    @kgjerstad

    I went over to Trac, and the issue is to be corrected in the next release 1.3. See trac ticket:

    http://trac.buddypress.org/ticket/2678

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    Yep It references the original issue #2293, and I recall the latter ticket now , probably ought to have been addressed at an earlier version though!

    So I would suggest for immediate workaround my suggestion of displaying favourite only to logged in user if also displayed user? or wait ;)

    Avatar of kenrichman
    kenrichman
    Participant

    @kenrichman

    Thank you guys, really good to know this is being worked on.
    I agree that favourites is not the sort of thing for public knowledge.
    I would really appreciate some help with the code to add this fix. It may sound quite trivial to some but for me I’m afraid it isn’t.

    Avatar of kenrichman
    kenrichman
    Participant

    @kenrichman

    @hnla – re: your suggestion – displaying favourite only to logged in user if also displayed user – I agree this would be a good fix, as I don’t really want favourites to be visible to all.
    If you can help with the code to achieve this I’d be grateful as the site is about to go live.

    Avatar of embergermedia
    embergermedia
    Member

    @embergermedia

    @kenrichman @hnla +1

    I have a few weeks before my launch, so I have some time. After I squash a few other more pressing bugs, I am going to look into this. Glad I found this post

    Avatar of kenrichman
    kenrichman
    Participant

    @kenrichman

    @embergermedia – just wondering if you’ve had a chance to look into this?
    Fortunately my site won’t be using the activity stream – yet!

    Avatar of embergermedia
    embergermedia
    Member

    @embergermedia

    @kenrichman Hey, sorry, I have yet to look into this. I’ve been so busy with getting everything else my client wants working to work that this got put to the bottom of my list. Hopefully I will remember to re visit it before I get a complaint! If I get hnla’a idea working, I will post here how I did it.

    Peace

Viewing 11 replies - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.