Skip to:
Content
Pages
Categories
Search
Top
Bottom

All site data visible to members and non-members alike


  • Tyler Regas
    Participant

    @tylermobodojocom

    I’ve been poking around for some time and I’m a little surprised that not one person has been confused by the complete lack of security in BuddyPress. I have started a closed beta program for a project I’m working on for the Autism community. Without going into a lot of detail, the Autism community requires strong security. Facebook offers their version of security in that you need to be logged in and a friend in order to see someone’s profile information. All social systems I have seen and/or worked offer a choice about what you want to make public facing or only for approved individuals.

    BuddyPress offers no such protection at all. Nothing. Everything I can see while logged in as admin I can see by not logging in and simply clicking around. I’ve been using WordPress for 5 years now and, while I’m new to WPMU and BuddyPress, I know that there are no options for managing who gets to see what and under what circumstances. This would seem to me to not only be a critical aspect of any social network, but also a rather simple one to implement. Then again, I’m no coder. I’m just a weekend hacker with lots of sysadmin experience.

    Regarding my audience, there’s no way I can let people put in their personal information and let some random asshat walk in and read it, or worse, act on the personal and identifying information they find there. That’s just not possible.

    Is there something I’m missing? Some people tell me I’m smart, but I rarely believe them, so its very possible I’ve missed something obvious.

    Help?!

Viewing 25 replies - 1 through 25 (of 47 total)
  • With all due respect:

    This would seem to me to not only be a critical aspect of any social network, but also a rather simple one to implement. Then again, I’m no coder.

    Obviously this feature is coming, but it hasn’t happened yet.

    For 1.2, Jeff Sayre is updating his privacy plugin http://jeffsayre.com/2009/12/05/buddypress-privacy-component-released/. That’s one solution on its way. Otherwise, you can implement a lot of “stop people seeing this” in child themes.


    andrew_s1
    Participant

    @andrew_s1

    You could always just use htpasswd to compel http authentication too. It’s a bit of a pain for users to have to log in to both the directory, and into buddypress, but it will give you the protection you need. Or you could just stick something into the theme to say that if the user isn’t logged in, they’re always redirected to the login / register page. I need something similar, so if I make any progress, I’ll post back here with it.

    with all due respect:

    Some people tell me I’m smart, but I rarely believe them, so its very possible I’ve missed something obvious.

    … don’t tell people say you’re smart, it’s the wrong way to proove you are. This project is 2 years old and most of the privacy system is already on the road for the next days… at the opposite of the track, check at Facebook and see how much time it took them to add privacy features… 5 years. and they were paid millions to do so, and forced by federal governments…

    on this side of things, we have a solo guy who is doing it with the help of some volunteers that have more dedication to the work than the team of 50 that are paid by facebook…

    so the smart, please consider yourself less selfish in your ways, please.

    I would say privacy is probably the most complex feature to implement – as far away from simple as you can get.

    If you want to just close off your site to users who are not logged in, then there are plenty of plugins you can use. Or you can just use the following code in your plugins directory, smartypants:

    <?php
    /*
    Plugin Name: BuddyPress Lockdown
    Plugin URI: https://buddypress.org/
    Description: Lock down your BuddyPress site if a user is not logged in.
    Author: Andy Peatling
    Version: 1.0
    Author URI: https://buddypress.org/
    Site Wide Only: true
    */

    function bp_lockdown() {
    global $bp;

    if ( BP_REGISTER_SLUG != $bp->current_component && 'wp-login.php' != $bp->current_component && !is_user_logged_in() )
    bp_core_redirect( site_url( 'wp-login.php' ) );
    }
    add_action( 'bp_init', 'bp_lockdown' );
    ?>

    If someone wants to take that code and turn it into an actual plugin in the repo, and perhaps extend on it, please do.


    andrew_s1
    Participant

    @andrew_s1

    Here’s an odd thing. When I’m on page wp-login.php, $bp->current_component appears to be empty at bp_init time, so bp_lockdown loops continuously (bp1.21).

    Strange, works no problem for me on WP 2.9.2.


    Windhamdavid
    Participant

    @windhamdavid

    it’s not working for me 3.0-alpha/bp trunk ~ I had a very simple solution to accomplish this eons ago (pre privacy plug) and I’ll look at it again this afternoon in combo with your lockdown code.

    BP 1.2 has not been built to support WP 3.0-alpha.


    abcde666
    Participant

    @erich73

    @Andy

    sorry if my following questions are off-topic:

    when I do create a “Private Group” on Group-creation:

    – are the members-data who have joined this “Private-Group” visible to search-engines like Google ?

    – are the user-images (avatar-images) and user-Profile-Fields of “Private-Group-Members” visible to search-engines ?

    – is the user-activity (e.g. Permalink-comments) within a “Private Group” being exploited to search-engines or is it hidden from search-engines ?

    – are all data from “Private-Groups” are actually hidden from other members within an installation ?

    So if “Private Groups” would be hidden from search-engines, this would be perfect “Privacy” – just need to setup “Private-Groups” only, instead of “Public-Groups” ?

    Many thanks.


    andrew_s1
    Participant

    @andrew_s1

    wp2.9.2 here too. Very strange. I tried disabling all other plugins apart from buddypress and bp-lockdown, with the same result.


    Windhamdavid
    Participant

    @windhamdavid

    I know this! .. forward thinking and I’ve found very few errors, 1.2 supports 3.0-alpha much better than is to be expected with very little errors, notices or conflicts on depreciated functions.


    Windhamdavid
    Participant

    @windhamdavid

    <?php if(!is_user_logged_in()){

    nocache_headers();

    header("HTTP/1.1 302 Moved Temporarily");

    header('Location: ' . get_settings('siteurl') . '/wp-signup.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));

    header("Status: 302 Moved Temporarily");

    exit();

    } ?>

    this quick hack (in the top of header.php) will only registered and logged in users can view. As for using it with version 1.2 default theme ~ I would suggest making a custom header for any of the buddypress elements you want to keep private and keep the rest public. At least until privacy functions are available as a plugin or in core.


    Windhamdavid
    Participant

    @windhamdavid

    I also just tested bp_lockdown() with MU 2.9.1.1 and 1.2 ~ same fail as 3.0-alpha regardless of if I clear cookies or cache. I think andrew_s1 has it right.


    andrew_s1
    Participant

    @andrew_s1

    I stuck this line into function bp-lockdown, just after the global statement:

    error_log(“bp->current_component='{$bp->current_component}'”);

    and then viewed my /var/log/apache2/error.log

    It’s fine on the registration page, “/{blog}/register/” . Here, bp->current_component contains ‘register’, as expected, so no loop

    But at “/{blog}/wp-login.php” , bp->current_component is empty.

    This is the same, whether I’m actually logged in, or not.


    andrew_s1
    Participant

    @andrew_s1

    When viewing wp-login.php, then:

    at line 178 of bp-core.php, both $bp->current_component and $bp->displayed_user->id are empty

    at line 138 of bp-core/bp-core-catchuri.php, $bp_uri =array([0] => ‘wp-login.php’), but $component_index = 1

    So there’s the problem – when viewing wp-login.php, $bp_uri has value ‘wp-login.php’ at key 0, but $component_index is 1, so $current_component is set to an empty string

    [EDIT – value is ‘wp-login’ not ‘wp-login.php’ – sorry. EDIT again – bah – wp-login.php it can be – it’s whatever the user enters in the URL. wp-login.php and wp-login both worth, and each gets carried through as is]


    Windhamdavid
    Participant

    @windhamdavid

    Correction on my part!! No Fail for bp_lockdown(). It Works perfectly fine in 3.0 alpha and MU 2.9.1.1 @Andrew_s1 ~ make sure you have registration enabled as that’s what’s causing your loop.


    Windhamdavid
    Participant

    @windhamdavid

    I also edited this line

    bp_core_redirect( site_url( 'wp-login.php' ) );

    to

    bp_core_redirect( site_url( BP_REGISTER_SLUG ) );


    andrew_s1
    Participant

    @andrew_s1

    Well, yes, that would prevent the loop: the loop happens on wp-login.php, but not on /register/

    Enabling registration doesn’t affect the problem. The problem’s cause is that in bp-core/bp-core-catchuri.php , function bp_core_set_uri_globals , when viewing wp-login.php, $component_index = 1 , but $bp_uri =array([0] => ‘wp-login’)


    andrew_s1
    Participant

    @andrew_s1

    And $component_index=1 because VHOST===‘no’ and $is_root_component is empty at line 131 of bp-core/bp-core-catchuri.php


    andrew_s1
    Participant

    @andrew_s1

    And $is_root_component is empty because wp-login does not appear in $bp->root_components when evaluated at line 129 of bp-core/bp-core-catchuri.php


    Windhamdavid
    Participant

    @windhamdavid

    nice analysis ~ I’m also duplicating those errors with the core_redirect pointed to wp-login.php I’d bet Jeff has a good handle on this and I sent a request to help him test the upcoming release. I don’t have a copy of his old release to adapt or modify (if anyone could point me to, or send me the old copy, that might help).. but the hack i put up previously has worked like a charm for me making some pages private while leaving others public without having to expand this into a full on plugin with user options. I simply call that custom header for any pages I want to keep private.


    Windhamdavid
    Participant

    @windhamdavid

    with the $is_root_component empty ~ it’s also failing to allow login with the redirect pointed to site_url( BP_REGISTER_SLUG ) ~ So that is not a viable solution for bp_lockdown()


    andrew_s1
    Participant

    @andrew_s1

    yes, it’s patchy with that. If the link is directly to /register/, then it works fine. But if it’s to wp-login.php?action=register, then it gets stuck in the wp-login loop.


    Tyler Regas
    Participant

    @tylermobodojocom

    Thanks for the feedback on this, folks! I would submit that this simply proves that I am not smart and that your mild jabs at my supposed intelligence are sadly misplaced.

    I do have a security implementation now being used on the site. It is a plugin for WP called Restricted Site Access from C. Murray Consulting. It works to the point where if they are not logged in I can redirect them. To workaround this roadblock, I ended up installing a secondary WP installation as the redirect target. It just feel so ridiculously busy and unnecessary.

    If I could manage to get the plugin to allow users to not only go to the login page, which is allowed, but also to the signup page, then I might be mollified. Its very important that the site work to protecting its susceptible members from the inevitable predators who are out there. Not only will the site provide online socialization, but local events will be coordinated with regional volunteers, so you can see where there might be a problem.

    So, how many people are employed by Auttomatic to work on this project?

Viewing 25 replies - 1 through 25 (of 47 total)
  • The topic ‘All site data visible to members and non-members alike’ is closed to new replies.
Skip to toolbar