Hidden groups activity shows in friends > activity screen of non group members
|Reported by:||hnla||Owned by:|
Bob & Alice are friends.
Alice is a member of a Hidden group.
Bob is not a member of that same hidden group.
Bob logs in and navigates to his account/profile
Bob clicks link 'activity > friends'
Bob now sees all activity generated by his friends in all? areas.
Bob notices that Alice has posted to a group he hasn't seen before, he can read the latest comment she has made but he can't access the group via the links 'Group Name' or 'View' as he is correctly denied access - however Bob finds that he can use the 'Reply' link on the update and effectively post a reply to the group! this now appears threaded in the update view on his screen.
Alice logs in and visits the hidden group where she finds a reply to the last update she made but from a user who is not an invited member of this hidden group.
Noticed in 126.96.36.199
Tested and confirmed same behavior in 1.2.3
While this defect exists hidden groups are open and not safe to use as suggested by their description.
Change History (17)
- Cc boonebgorges added
- Keywords has-patch, needs-testing added; hidden groups activity removed