Skip to:
Content
Pages
Categories
Search
Top
Bottom

1.5.1: Activity stream for private groups displayed to everyone!

  • @johjoergensen

    Member

    I just realized that when logged out, the activity stream for private groups is displayed!
    This is a serious security concern!

Viewing 16 replies - 1 through 16 (of 16 total)
  • @djpaul

    Keymaster

    Private is basically read- and invite- only. https://codex.buddypress.org/getting-started/group-settings-and-roles/

    @wiking

    Member

    if you want to modify that behavior you can edit the theme files which i did for my community. users browsing the page don’t see anything unless they register. i used the wordpress-function is_user_logged_in()
    files to consider:
    /wp-content/plugins/buddypress/bp-themes/bp-default/activity/activity-loop.php
    and to hide the rss-button (private groups still in rss if you know the link or browse the source code – but users not logged using the site don’t see anything):
    /wp-content/plugins/buddypress/bp-themes/bp-default/activity/index.php

    @johjoergensen

    Member

    @djpaul, from the BP website: “Private groups are also visible in group directories. The group name and group description remain available for all to see. However, the contents of the group are accessible only to members….” This is not how it works in 1.5.1 – it must be a bug?

    @wiking thank you for the workaround, but I would like a more bullet proof solution as I am using BP for professional purposes…

    @djpaul

    Keymaster

    Either a bug with the code or a bug with the description.

    @peeld

    Participant

    I am having this issue – Private Groups are showing up to logged in users, under the ‘my friends’ tab in the activity stream, even though they themselves are not a member of the group that is private!! I am using BP for a paid membership site, please help, this is a hole in the privacy….

    I removed the ‘all members’ activity stream option/tab from my theme, so I don’t have to worry about that, but still…private group activity shouldn’t show up there?!

    @boonebgorges

    Keymaster

    I can’t reproduce either issue on my local installations.
    – Hidden/private group activity does not show for logged-out users
    – Hidden/private group activity does not show on the Friends activity tab

    Are either of you running plugins that affect the way that activity works? Or is there something in your custom theme that modifies the activity loop?

    @peeld

    Participant

    This is even WORSE…

    -Hidden/private group activity DOES show for logged-out users
    -Hidden/private group activity DOES show on the Friends activity tab

    I’m using Themekraft CCPro as well as S2member.
    Also using BP Forums Extras: View activity comments on forum posts
    Activity Bump.

    I’ve made no modifications to activity-loop.php.

    For the moment, I can restrict activity for not logged in users by using s2member’s uri restrictions, but this is just a patch, there’s something funny going on here.

    Daisy

    PS as an aside, I can’t access any forum topics I’ve started or replied to through my profile page *on this site*. Also can’t post activity updates or private messages to anybody. Can’t access forum replies via the menu at the very top of the page either.

    @boonebgorges

    Keymaster

    Can you switch to bp-default to see if the problem persists?

    @peeld

    Participant

    In bp-default, the problem persists.

    @peeld

    Participant

    I’m still following this, any update?

    @peeld

    Participant

    Boone Gorges, or anybody else, is there an update on this? PLEASE let me know, this is a serious issue :(

    @boonebgorges

    Keymaster

    I’m unable to reproduce the problem. Without being able to reproduce, I’m afraid there’s nothing I can do.

    Perhaps you can try installing a fresh installation of BuddyPress somewhere else, and then attempting to reproduce the issue. Take careful notes of the steps required to reproduce, so that you can share them with the team.

    @peeld

    Participant

    I think I figured out my problem – the groups WERE set to public, and when I set them to private, the hide_sitewide value in the SQL database didn’t get changed.

    So, now I need to change ALL those values from 0 to 1. What SQL statement do I run to do this?

    And, is there a plugin or update to get it so that when the status of a group changes from public to private, all the posts ARE switched from 0 to 1?

    @peeld

    Participant

    Never mind, figured out the SQL statement, set all activity to hide_sitewide=1 :)

    PHEW! It’s not clear, btw, that setting groups to private doesn’t change this setting, I had to dig and dig and dig. Really, don’t you think it SHOULD? If you set a group from private to public, I can see it not being retroactive, but if it’s going from public to private, imo it should ALL go private.

    @boonebgorges

    Keymaster

    Thanks for posting an update, @peeld.

    There is an existing ticket going in one direction: https://buddypress.trac.wordpress.org/ticket/3463, and there is an old discussion related to the broader issue: https://buddypress.trac.wordpress.org/ticket/2678

    This is part of a larger problem with the way that activity items are hidden in certain cases. It’s long been an issue of mine, so I’ve opened a ticket with a view to fixing it sooner rather than later: https://buddypress.trac.wordpress.org/ticket/3857

    @jonlachlan

    Participant

    Just came across this issue. Updates in Groups that were previously public, now private, are shown to a non-member in All Activities page. However, if they open the group page, they are of course told that it’s private (nothing is shown). Isn’t there a way for the loop to just check the group privacy status for each activity item?

    This is in 1.6.1 (as WP plugin)

Viewing 16 replies - 1 through 16 (of 16 total)
  • The topic ‘1.5.1: Activity stream for private groups displayed to everyone!’ is closed to new replies.
Skip to toolbar