Opened 13 years ago
Closed 13 years ago
#3462 closed enhancement (fixed)
Hidden groups are accessible via url
Reported by: | modemlooper | Owned by: | |
---|---|---|---|
Milestone: | 1.6 | Priority: | normal |
Severity: | normal | Version: | 1.5 |
Component: | Groups | Keywords: | needs-patch |
Cc: |
Description
If you know the url to a hidden group you can see it. Shouldn't you get bounced if you are not logged in?
Change History (8)
#2
@
13 years ago
- Owner set to DJPaul
- Status changed from new to assigned
It's correct to say that it's new behaviour, but only due to a bug in the existing code.
e.g. http://testbp.org/groups/pauls-hidden-group/ works, but http://testbp.org/groups/pauls-hidden-group/home/ doesn't.
#3
@
13 years ago
- Owner DJPaul deleted
Having reviewed the code and my earlier assumption when working on #3669. My point about the above links is still valid, but I've learnt the groups do redirect to the first URL and display a "you don't have access" message, so it's not as simple as removing an !empty() check, which is what I thought the problem was originally.
As Public and Private groups can be read by any user, I think the current behaviour is fine; especially for Private groups, as the user needs to be able to request membership somehow (a site may not use the groups directory, for example).
For Hidden groups, I think we should change the behaviour so that if you don't have access, (all of) the link(s) 404. At the minute, you can see a "this is a hidden group and only invited members can join" message, but you can view the group title, description, and see the admin/moderator avatars.
This would be the same behaviour as if you try to access the group admin page URL without authorisation (it 404s), and I think it would be more consistent, as well as having the benefit of keeping the hidden group's title and description hidden.
The latter could be achieved by updating the templates but that means putting core logic into the default theme(!).
Possibly. The behavior you describe is the same as in earlier versions of BP. I think we're too late into this cycle to change what has likely become expected behavior, but I think we should discuss modemlooper's bouncing suggestion for the next version.