Skip to:
Content

BuddyPress.org

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#6888 closed defect (bug) (no action required)

BuddyPress Activity Stream Privacy Issue

Reported by: terranova23's profile terranova23 Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.4.0
Component: Core Keywords:
Cc:

Description

Hi there,

First of all, we're running the latest version of Wordpress, BuddyPress, and bbPress, as well as MemberMouse. My client runs a website which features online courses which need to be kept private from one another. They are using a mixture of those three plugins to achieve that. However, if a user views the profile of a user in a different group (set to private) they can see private forum posts listed in their activity stream. They can't click through, but just viewing those topics creates a privacy issue.

Until now we have kept the activity stream disabled to avoid this issue, but we would like to be able to use the activity stream feature, but fixed to ensure people can't see into the other groups they shouldn't have access to.

I see this issue has come up many times before and have read a bunch of threads about it without any luck. On this thread: https://buddypress.org/support/topic/bugs-between-bbpress-and-buddypress there was an invitation to start a Trac if people still had issues. Since this doesn't seem to have been resolved, here I am.

Our groups are set to private and I just used the recalculate tool to ensure the database considers them private. We did also try reverting to default themes and disabling all but the relevant plugins and that didn't change anything.

As far as what steps should be taken to recreate the problem, here is what I propose: A setup where there are at least two unique and private groups, two users, one with access to only one of the groups. If one user is able to see posts from the other user while in their activity feed, that is our issue.

Of course, if progress has been made on this or workarounds have been posted that would fix it, please let me know. But after looking through the many threads about this issue, I wasn't able to find anything.

Thanks very much for your time.
Rory

Change History (5)

#1 @imath
8 years ago

Hi terranova23,

Thanks for your feedback

When the activity table field hide_sitewide is set to 1, then the activity is only viewable by the logged in user and inside the private/hidden group. Do you know if the activities you are talking about are using this specific field to inform the activity is not to be shown site widely ?

Last edited 8 years ago by imath (previous) (diff)

#2 @r-a-y
8 years ago

As far as what steps should be taken to recreate the problem, here is what I propose: A setup where there are at least two unique and private groups, two users, one with access to only one of the groups. If one user is able to see posts from the other user while in their activity feed, that is our issue.

terranova23 - Have you tested this yourself?


I would say this is a duplicate of #6198.

Check out the corresponding bbPress ticket - #BB2599 - and test the latest fix. Then, try to duplicate your problem on a fresh install to see if the problem persists.

#3 @terranova23
8 years ago

@imath I'm not sure if I understand your question, but I can tell you that the groups are set to private and I did use the recalculate privacy tool, so my understanding is that those groups should be set to 1 for hide_sitewide. If you can point me to where I should look in the database (are you talking about groups or specific activities?) I can double check.

@r-a-y From the ticket you posted, it looks like that user is saying her forums were set to public, and that was causing the forum activity to appear in the stream even though the groups are set to private. I just checked, and indeed, many of our forums are set to public.

I've just looked up several threads discussing the privacy settings for bbPress and I'm not sure I fully understand. If I set them to private, will the site users be unable to access the forums? I just want to avoid having tons of users get shut out of their class forums. If you can point me to a page with some clear info on this I'd be grateful as I wasn't able to find one.

As far as recreating the issue, I have not done this test, though I can if these other solutions don't solve the problem.

Thank you both for your time and your responses.

#4 @r-a-y
8 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

The issue lies with bbPress not changing the forum privacy when a BuddyPress group's privacy is changed (#BB2599).

There is a fix in that ticket, but it is not released yet, so you'll have to manually patch bbPress or run the latest developmental version of bbPress to get the fix.

For all currently affected forums attached to BuddyPress groups, I believe you'll have to manually change the forum privacy and remove the private forum-related activity items in BuddyPress.


If I set them to private, will the site users be unable to access the forums?

Yes, that should protect the forum from being accessed directly. However, as I noted above, the activity items (if any) that were published during the group status change will need to be manually removed.

If you can point me to a page with some clear info on this I'd be grateful as I wasn't able to find one.

There isn't one that I am aware of, but I agree that this is an annoying issue.


I'm going to mark this a duplicate of #6198 due to your feedback, @terranova23, since you have the exact same problem as listed in that ticket.

Please reply to #6198 if you have any follow-up responses.

#5 @DJPaul
8 years ago

  • Component changed from API to Core
Note: See TracTickets for help on using tickets.