After doing some reading this has come up a few times in the past and it seems its not going to happen, i see brajesh tried creating a theme a while back that used ajax on the members single profile pages but even he states its not for a production site, so no worries, i was just curious as to why its not as standard same as the way the other tabs work that’s all.
Probably because no one use BP xprofile component as is only.
One use it only by default, another add 20 tabs and another one only 3.
Ajaxifying such tabs, not all are in english when they are customized, will became a bit too complex to adjust each individual case.
But i can be wrong. ๐
Hey @mcpeanut
I don’t think there’s any reason why these shouldn’t have ajax functionality. It may well be planned, but I’m not sure? Take a look through the open Trac tickets to see if anything is in the pipeline.
The site i’m currently developing with Buddypress (my first buddypress site) is totally Ajaxed using Ajaxify WordPress Site Pro.
All profile tabs are now ajaxed as well as everything else.
There is a small issue with messaging but the plug in developer is fixing that as we speak.
@mrgiblets i once recall downloading lots of various ajax all plugins and testing them but i noticed that alot of things could easily break for me due to the plugins i use, maybe worth trying it again? what is the issue with messaging with that plugin?
@danbp i understand what your saying but maybe just have all the default tabs ajaxed? if this was the case plugins that create new tabs within buddypress would have to follow suit, no?
@henrywright yes im gonna take a look later through the link you posted.cheers
Ok after some thought (i dont have a clue if this can be done ) but is there anyway that you could upon clicking the buddypress tab ‘profile’ (for example) on a members page you could have it anchor to a specific part of the page after it refreshes the page? Let me explain why, the reason i ask is that to get to the profile tab on a members page involves scrolling a little down my page, so upon clicking the profile or any other tab on a members page it will refresh the page and jump back to the top making you have to scroll back down to the subnav that is just out of view.
So the question is this, could i make each of the top level navigation tabs after being clicked and the page reloads anchor back down to the corresponding sub nav tab?
I hope this explains exactly what im trying to say haha, if it can be done can you give me any clues as of how to do this?
Hey @mcpeanut,
AWS Pro will do exactly what you are after out of the box, it returns you to exactly where you were on the page, but you might find that you want to disable that as it can be a bit confusing for people. If they click on a link for a blog post for example, it will load the new page but not from the top if that makes sense, so you see the blog post but you may already be halfway down the page and need to scroll back up to read it from the start. This can be fixed with the inbuilt “scroll-to-top” feature though, which is what I use but I’ve removed the hard coded jQuery animation that comes with it.
The messaging issue is that at the moment with AWS Pro activated, the dropdown list of members isn’t firing when you start typing somebody’s name in a private message. I notified the dev about it and he is fixing it for the next update though.
I tried that plugin but my plugin setup is far to complex for it to work without breaking ALOT of things on my site, it wouldn’t be worth all the troubleshooting with these other plugins (as i suspected), the website is very ambitious and i have a set amount of plugins i need running to achieve it, removing features is not an option, the main thing im concentrating on is performance with all of the plugins active (which is alot more than the average site so hence the problems) and im trying to combine all my js files in the most efficient way i can without again breaking functionality , i don’t really need all the website to be ajaxed as such it is more a case of just the buddypress tabs on the profile areas that is the issue really
@danbp hey dan after re-reading your comment bud ive just realized we are on about different tabs hehe, i was talking about the actual top level tabbed navigation on your profile. examples:
Activity
Profile
Friends
Groups
settings
etc…..
and the sub navs for each tab. examples:
Personal
Mentions
Favorites
Friends
Groups
etc….
@danbp haha and? i was just saying bud so you knew what tabs i was on about lol, shlaaps my head for not being clear in the first part! lol
Late nite coffee riot. ๐ Go to bed it’s time to sleep a little.
I understood what you asked. Tab tab tab… on profile page.
Profile stuff is on the member page (the member Core component).
And when when you say profile page, i understand the profile tab (in reality the profile template), displayed on the member page in My profile context.
Items you listed are part of the buddymenu.
They are also used in the usermenu(top right corner), which is part of the toolbar (aka wp admin bar)
End of jargon. ๐
No worries m8, as far as sleep is concerned, what is this sleep you speak of? hahahaha
Besides i just woke up at 12am so im up all night now, damn my sleeping pattern is a mess at the minute :/
Oh i always forget about the top menu as i have disabled the top bar, i hate it!
I hate the wordpress bar at the top and always have , it screams your using wordpress above anything else. I always disable it hence why i was working on my own notifications i a previous post.
I just started implementing this in my theme. I was going to try to hook into bp_filter_request() but it doesn’t use nonces so I am not sure if it is secure for loading tabs that may have restricted visibility.
I couldn’t see anything on trac. Is this being worked on at the moment?
@codemonkeybanana this is just my own personal opinion but implementing WP nonces when loading tabs isn’t hugely necessary. WP nonces verify user intent, and even if intent cannot be verified, what harm could come from a visit to a simple profile tab?
Just to be clear, security and privacy checks should be carried out separately to WP nonce implementation
@henrywright How would you do the security check? If I follow current way buddypress does things with loading the template part for the tab any logged out user can just modify the javascript and get into any profile page they like. It’s first time I’ve done this so appreciate the advice.
what harm could come from a visit to a simple profile tab?
You could see hidden data that user did not want displayed. I believe if you hold data and say it is private then you should attempt to secure it. You could also view their messages and private groups.
The thing I am struggling to understand is how buddypress functions work on the post request. I wrote some test code and data is correctly populated from displayed user. Does buddypress read a referrer value somewhere on every ajax post?
You could see hidden data that user did not want displayed.
That’s why I said privacy checks should be carried out separately.
As an aside, security and privacy are both very different things. Securing data means making sure it is safe where as privacy refers to the visibility of the data. Both these things should be addressed in your application. Then there are nonces, which are different again.
My point about nonces not being necessary in this instance still stands (But I’m sure there will be some who challenge this view). Nonces simply verify intent (i.e. did the user intend to click on this link?).
If privacy and security checks are already in place, then the tab content will be inaccessible to unauthorised users regardless of whether nonces are in operation.
Also, to answer your question:
How would you do the security check?
These must be done server side. You’re right to think that anything done via the client can be tainted (manipulated by an end user).
The general process is:
- Make an AJAX call passing any client-side data to the server
- Process the data (secure it and perform necessary privacy checks) and then send a response
- Do something client-side with that response
For more info on AJAX and WordPress, check out the AJAX in Plugins article.
With standard buddypress (no modifications) you can freely view anyone’s messages without even logging in. Personally I think that is not very good security/privacy, whatever you want to call it.
I made a ticket as I don’t think that “private messages” should be publicly viewable
(https://buddypress.trac.wordpress.org/ticket/6504#ticket)
What privacy/security checks would you recommend for people who don’t want users private data publicly viewable?
With standard buddypress (no modifications) you can freely view anyoneโs messages without even logging in
That shouldn’t be the case for all users. Only users with admin capabilities should be able to do that. Are you able to see people’s private messages when logged in as a subscriber? If so, that’s a bug
I can view anyones messages when logged out. If I log in I think it shows me my own messages, not sure, the main issue is that someone could easily harvest every single message from a buddypress site. Users are not tech savy and will presume that correspondence is relatively secure so there may be sensitive data stored. Or at worst it would give enough information for an attacker to social engineer the additional data they need.
I can view anyones messages when logged out.
And you’re definitely talking about what BuddyPress refers to as private messages?
Can you try again after disabling all plugins, reverting to TwentyFifteen and removing all custom code? If you still get to see private messages when logged out then that shouldn’t be happening.
@henrywright Brajesh has confirmed and posted a patch, check the ticket.
