Search retrieves users with field visibility adminsonly
I am currently setting up a members directory for our alumni association using buddypress (currently Version 3 RC1 from trac). I really love it and so far the feedback from our testers is really positive. I might consider contributing a showcase/case study if there is anything like that for buddypress. I have already contributed several translations and will add more during the weekend!
I have one issue remaining which is related to the search function. We allow our members to hide certain information from other members. For example one member can set their current location to “adminsonly”. Let’s assume this example. We have user Thomas in city Berlin and user Peter in city Munich. Thomas decides to hide his location from other members and sets the field visibility to adminsonly. Now Peter views Thomas’ profile and is not able to see his location. So far everything works as expected. Now Peter uses the search function and uses the keyword “Berlin”. The result set contains Thomas (without displaying any information about the city) although Peter should not be able to know the city.
I would tend to consider this as a breach of privacy for users. That’s why I currently have removed the search boxes from all pages. Technically, if someone knows the URL search strings he/she could still do the search. Is it possible to configure the search so that it only searches fields which are available to the user conducting the search?
Thanks and regards!
- You must be logged in to reply to this topic.