This should have dealt with quite a few versions back so something may have crept back in. If you can ensure this isn’t some odd plugin issue and that this definitely wasn’t happening in 1.6 please open a ticket on http://buddypress.trac.wordpress.org using your site credentials.
I will just add though that a quick test on a local install running trunk does NOT show any issue like this, so check carefully it isn’t plugin issue also scan through trac to see if there was a recent ticket and fix put in place.
Thanks Hugo, I tested it with all plugins deactivated except for BuddyPress and bbPress, and the problem persists. I’ll need to test it with the default theme as well, and possibly revert back to BuddyPress 1.6 to see if it still happens.
The only change I made recently was update to BuddyPress 1.7 and change from sitewide forums to group forms.
I’ll have another test and see what I can find. Thanks for putting me on the right path
I spent a few hours creating a development version and testing, but I still can’t get it to hide private discussions from the activity stream.
Here is what I tried so far:
– Deactivated all plugins except BuddyPress and bbPress, to see whether it is a conflicting plugin issue
– Reverted back to default BuddyPress theme
– Set the group to public, then back to private again
The only strange thing I’ve found so far is when I go into the database. Inside the bp_activity table, the discussions from private groups all have “hide_sitewide” = 0. If I set hide_sitewide for these discussions to 1, the topic no longer appears in activity stream. But where does hide_sitewide originally get set?
I have the same problem. However, my hide_sitewide values are “1” for private forum entries, but are being completely ignored with the sitewide activity is shown.
I, too, upgraded from legacy groups to sitewide forums.
I am running bbPress 2.4 with buddypress 1.8.1
I have run the forum tools script to repair hidden forums, but this hasn’t made a difference.
I’m really worried about this security breach and – despite seeing a number of posts in here pointing this out – the development team seem unable to recreate it at their end. Nevertheless, it seems it is affecting people like us and we need to lock it down ASAP.
I think the problem has to do with buddypress – bbPress integration.
The bbPress Group Forums appear to be set to ‘Open’ by default, even if they are hidden within buddypress. In fact, I cannot alter this. I tried changing my secret forum to ‘hidden’ within bbPress (2.4) and it won’t save the change – it always comes back as ‘open’.
Therefore, it’s up to buddypress to manage the privacy of the forum. It seems to be doing this with new topic posts (I can confirm that hide_sitewide in the activity stream table is “1” for new posts). The problem is that if someone replies to that post, the hide_sitewide for that reply is set to “0”, even though it’s inside of a ‘hidden’ group forum. To me, this is a serious security breach, as it exposes the forum name, the original topic name, and the contents of the reply in EVERYONE’s Activity stream, whether they are logged in or not, a member of the hidden forum or not.
This is definitely part of the problem that I’m having. It turns out that there’s a bug in bbPress 2.4 that does not allow the admin to make a Forum ‘private’ or ‘hidden’. At the moment, the only workaround is to use the bulk edit facility to apply the ‘private’ setting to a forum (but, not, sadly the ‘hidden’ attribute as of yet).
In other words, if you go into the forum setting for the individual forum on the back-end and change the attribute there, it won’t stick. The forum comes back again as ‘Public’.
I used the build editor to change my forum to ‘Private’ and that stopped the replies to topic posts from being broadcast to everyone in the buddypress sitewide activity page. Now, I’m waiting for the ability to make the forums ‘hidden’ for extra security. In the meantime, I’ve been using s2member to lock down the content of the bbPress Group forum. This ONLY works for Group forums, because their topics have a forum-specific URI structure (so URI-restrictions can be used; e.g. ‘/group/<name of group>/forum/’)… whereas non-Group forums just have the ‘/topic/’ URI which is sitewide and cannot be restricted by a particular forum name. This is lamentable, as bbPress is very hard to lock-down otherwise.
It’s taken me many hours to track down all of these niggly problems, which is frustrating, since bbPress and buddypress are meant to be integrated now. So, it seems as if the integration is mucky.
Given all the user confusion regarding forum attributes in bbPress and forum security in buddypress, I would really love to see the development teams come up with a simple, unified interface for managing memberships and access restrictions. Otherwise, we’ll all end up chasing settings in different places, without really understanding their interplay.
I experienced this exact same problem on a site I recently upgraded from an older version of buddypress/bbpress. Private group replies were available in users’ activity stream to non-logged in users even. I turned off all plugins with no affect.
This hit me too, but with profile fields set to “only me.”
It’s about as big a potential problem as I can imagine.