Skip to:
Content

BuddyPress.org

Opened 10 years ago

Closed 10 years ago

Last modified 8 years ago

#6330 closed idea (no action required)

Private messages - User Switching plugin

Reported by: stagger-lee's profile Stagger Lee Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Core Keywords:
Cc: pericam@…

Description

First will say I know that is possible to read private messages from other Users if you have root access to database. Export as any of the extensions and read. But it is difficult, chaotic, and not easy to find/read private messages from table.

So in some way this is standard for almost all forum scripts and it is as it is, and thanks God not easy to do it.

My question is about User Switching plugin. With few clicks you are inside any User profile and you can read private messages as they read them.

Probably it is not easy to limit browser access to private messages of other Users and neuutralize plugins like User Switching.

But, just to ask anyway. Would it be tehnically to demanding to limit effects of such User switching plugins ?

Change History (4)

#1 @Stagger Lee
10 years ago

https://wordpress.org/plugins/user-switching/

I wrote this trac becaouse panic and paranoia forum users have usually if they hear someone can so easy read theirs private messages.

Version 1, edited 10 years ago by Stagger Lee (previous) (next) (diff)

#2 @r-a-y
10 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

BuddyPress is tied to WordPress and their user system, so any plugin such as User Switching makes it possible for admins to view anyone's logged-in content.

User Switching only allows admins, by default, to login as another user anyway. If you are afraid of plugins like User Switching, do not install them on your site.

#3 @Stagger Lee
10 years ago

  • Cc pericam@… added

@r-a-y, thanks.
I personally never have problem with it, never directly.

Meant more to reduce fear factor among BuddyPress/bbPress population :)

Please delete this trac, better not to mention this at all. What they dont know, they cannot fear of.

#4 @DJPaul
8 years ago

  • Component changed from API to Core
Note: See TracTickets for help on using tickets.