Skip to:
Content

BuddyPress.org

Opened 8 years ago

Closed 8 years ago

#3462 closed enhancement (fixed)

Hidden groups are accessible via url

Reported by: modemlooper Owned by:
Milestone: 1.6 Priority: normal
Severity: normal Version: 1.5
Component: Groups Keywords: needs-patch
Cc:

Description

If you know the url to a hidden group you can see it. Shouldn't you get bounced if you are not logged in?

Change History (8)

#1 @boonebgorges
8 years ago

  • Milestone changed from Awaiting Review to 1.6

Possibly. The behavior you describe is the same as in earlier versions of BP. I think we're too late into this cycle to change what has likely become expected behavior, but I think we should discuss modemlooper's bouncing suggestion for the next version.

#2 @DJPaul
8 years ago

  • Owner set to DJPaul
  • Status changed from new to assigned

It's correct to say that it's new behaviour, but only due to a bug in the existing code.

e.g. http://testbp.org/groups/pauls-hidden-group/ works, but http://testbp.org/groups/pauls-hidden-group/home/ doesn't.

#3 @DJPaul
8 years ago

  • Owner DJPaul deleted

Having reviewed the code and my earlier assumption when working on #3669. My point about the above links is still valid, but I've learnt the groups do redirect to the first URL and display a "you don't have access" message, so it's not as simple as removing an !empty() check, which is what I thought the problem was originally.

As Public and Private groups can be read by any user, I think the current behaviour is fine; especially for Private groups, as the user needs to be able to request membership somehow (a site may not use the groups directory, for example).

For Hidden groups, I think we should change the behaviour so that if you don't have access, (all of) the link(s) 404. At the minute, you can see a "this is a hidden group and only invited members can join" message, but you can view the group title, description, and see the admin/moderator avatars.
This would be the same behaviour as if you try to access the group admin page URL without authorisation (it 404s), and I think it would be more consistent, as well as having the benefit of keeping the hidden group's title and description hidden.

The latter could be achieved by updating the templates but that means putting core logic into the default theme(!).

#4 @DJPaul
8 years ago

  • Type changed from defect (bug) to enhancement

#5 @johnjamesjacoby
8 years ago

Agree with Paul above. Hidden groups should 404, and private should work per normal.

#6 @johnjamesjacoby
8 years ago

  • Component changed from Core to Groups

#7 @johnjamesjacoby
8 years ago

  • Keywords needs-patch added

#8 @boonebgorges
8 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [5373]) 404 when attempting to access the URL of a hidden group. Fixes #3462

Note: See TracTickets for help on using tickets.