I just tried out something like that and agree that it is a secrecy leak.
I am using the walled_garden technique to block non logged in users from viewing members or activity pages so they couldn’t see anything there but if logged in but without being a member of that group they can see too much information…
It seems that favouriting a secret group topic is not a good idea….
There have been issues with ‘Hidden Groups’ and leaking of group activity in general to the wider site, I raised a ticket on one major flaw a while back but sounds as though a further ticket might be required.
To get this ‘fixed’ you will need to raise a ticket on the trac system please detailing steps to re-create and versions you are using, this way a core developer will get around to testing this and prioritizing the ticket for attention. You can log in to the trac using your BP credentials.
Edit// Can confirm, marking a topic as ‘favourite’ does display this piece of data to site members who are not members of the hidden group, they can navigate to members profile and check members ‘favourite’ listing, they can also mark that item as a ‘favourite’ for their own listing. In all other respects previous issues appear ok and cannot see the hidden group or it’s data elsewhere nor can I, as non joined member see that ‘favourite’ topic in any further detail. WP 3.* / BP 1.2.6
One possible fix or workaround might be to remove ‘favourites’ from public screens i.e only display this if logged in user is equal to displayed user.
imho a lot of a members account/profile information is essentially private to them, I do not really need to see another members favourite list.
I went over to Trac, and the issue is to be corrected in the next release 1.3. See trac ticket:
https://trac.buddypress.org/ticket/2678
Yep It references the original issue #2293, and I recall the latter ticket now , probably ought to have been addressed at an earlier version though!
So I would suggest for immediate workaround my suggestion of displaying favourite only to logged in user if also displayed user? or wait
Thank you guys, really good to know this is being worked on.
I agree that favourites is not the sort of thing for public knowledge.
I would really appreciate some help with the code to add this fix. It may sound quite trivial to some but for me I’m afraid it isn’t.
@hnla – re: your suggestion – displaying favourite only to logged in user if also displayed user – I agree this would be a good fix, as I don’t really want favourites to be visible to all.
If you can help with the code to achieve this I’d be grateful as the site is about to go live.
@kenrichman @hnla +1
I have a few weeks before my launch, so I have some time. After I squash a few other more pressing bugs, I am going to look into this. Glad I found this post
@embergermedia – just wondering if you’ve had a chance to look into this?
Fortunately my site won’t be using the activity stream – yet!
@kenrichman Hey, sorry, I have yet to look into this. I’ve been so busy with getting everything else my client wants working to work that this got put to the bottom of my list. Hopefully I will remember to re visit it before I get a complaint! If I get hnla’a idea working, I will post here how I did it.
Peace