Private group forum posts visible in public feed
- This topic has 13 replies, 5 voices, and was last updated 11 years ago by visionsynergy.
-
AuthorPosts
-
August 6, 2013 at 2:58 pm #3300visionsynergyParticipant
I have a question about the privacy of forum feeds.
I have a standard CBOX setup with public, private, and hidden groups. All groups have forums. I would assume that posts in a private group forum would NOT be visible in the public RSS feed, but they are.
For example, the feed for “https://{mysite}/forums/feed/” shows all recent forum posts, including those from private group forums. I do not see posts from hidden group forums.
Am I missing something obvious? Is this expected behavior? Can I change this?
August 6, 2013 at 4:33 pm #3301Bowe FrankemaMemberHi Lucas,
This seems to be a BBPress 2 issue (and a serious one). Here’s a fix that will disable the creation of BBPress feeds entirely. Hopefully they’ll fix this in the next BBPress release.
Add the following to functions.php of your CBox Child Theme.
function disable_our_feeds() { wp_redirect(get_option('siteurl')); } add_action('bbp_feed', 'disable_our_feeds', 1); // Disables BBPress feeds add_action('do_feed', 'disable_our_feeds', 1); add_action('do_feed_rdf', 'disable_our_feeds', 1); add_action('do_feed_rss', 'disable_our_feeds', 1); add_action('do_feed_rss2', 'disable_our_feeds', 1); add_action('do_feed_atom', 'disable_our_feeds', 1);
August 6, 2013 at 4:52 pm #3302Matthew K GoldModeratorJust want to check on something. Are you a superadmin on this site?
And are you looking at the site feed while logged in? If so, you’ll
see content in the site feeds that others won’t see; try logging out
and/or viewing the site the site in a Chrome incognito window or
Firefox private browsing window.If the content shows up for logged-out users, look to Bowe’s advice.
Best,
Matt
August 6, 2013 at 7:07 pm #3303RayKeymasterHi,
This sounds like a bug in bbPress.
Try this workaround I wrote in this comment:
https://github.com/cuny-academic-commons/cbox-theme/issues/150#issuecomment-19228271The problem has to do with bbPress not updating the visibility field in the database when a private or hidden group adds a forum.
I’ve already posted a bug report in bbPress:
https://bbpress.trac.wordpress.org/ticket/2349This should be addressed when bbPress 2.4 is released. FYI, CBOX currently uses bbPress 2.3.2.
August 7, 2013 at 4:11 am #3307Helene FinidoriParticipantI am NOT SURE private groups are meant to be hidden in feeds and have ‘hidden’ activities. At least for logged in users. Hidden groups yes.
The difference I see (and that’s how it operates in facebook) is that public groups you can just join, whereas private groups can be ‘showcased’ by being visible but you need to request invitation and be accepted in.
I would NOT appreciate a future version of BBpress to hide private groups activity from view of logged in members. Otherwise, what would be the difference with hidden groups? ‘Fixing’ this would have a lot of implications!
Thanks.
August 7, 2013 at 4:22 am #3308Helene FinidoriParticipantApologies. I made some changes above. I had understood the feed was to be hidden for logged in users. If it’s only logged out users, then I guess it’s ok.
August 7, 2013 at 8:01 am #3310Matthew K GoldModeratorHi Helene,
Private and hidden group activity should be hidden from both logged-out and logged-in users unless they are members of the groups in question or superadmins.
August 7, 2013 at 10:44 am #3312Helene FinidoriParticipantAs far as hiding private group’s activity to logged in users, I’m wondering then what the difference is with hidden groups… Could you explain?
August 7, 2013 at 10:50 am #3313Matthew K GoldModeratorHi Helene — here’s the info we give on the CUNY Academic Commons about that subject – http://help.commons.gc.cuny.edu/faq/#What.27s_the_difference_between_public.2C_private.2C_and_hidden_groups.3F.C2.A0
August 7, 2013 at 2:06 pm #3314visionsynergyParticipantRe:
Matt, thanks for helping to troubleshoot. Yes, I am a superadmin but I tested as a logged out user via Opera & Firefox. I also tested via my Android RSS app (SparseRSS). I can confirm that forum feeds for public, private, and hidden groups are visible to the public (logged out users).
August 7, 2013 at 2:21 pm #3315visionsynergyParticipantRe:
@bowe & @r-a-y, thanks for your replies!
@r-a-y, can you please clarify a bit more re: your comment? I see from the link that you posted a workaround for a different/related issue and that there is a planned fix for that visibility bug in a future release of bbPress.
In the meantime, is the workaround you suggest something that needs to be done every time a new group/forum is created, or once for all?
We already implemented Bowe’s stop-gap to disable all bbPress (not BuddyPress) feeds, but that’s not really what I want moving forward. I’d prefer for feeds to be active.
August 7, 2013 at 2:44 pm #3316visionsynergyParticipantRe:
@helenef, I agree with what @mkgold said. Private and hidden groups are intended to keep membership/activity/discussion within those groups private. A hidden group is simply a private group that is not listed in the directory. A community member would not even know a hidden group existed unless they were invited to join that group. These three levels of group privacy (public/private/hidden) are an important (critical) feature, imho.
In our case, our community involves individuals who work in some very unstable parts of the world in a wide variety of humanitarian activities. The ONLY way I was able to recruit the small group of alpha test users we have right now is by explaining the security/privacy features we were putting in place:
* SSL encryption (entire site) via Cloudflare
* Invitation-only membership (I love the InviteAnyone feature!)
* Limited public/member profile visibility (Extended profiles are great – default settings are only username/avatar publicly visible, other fields visible only to logged in members, and still other fields only visible to friends)
* Private & Hidden groups/forums
* Hosting on a secure & reliable platform (WPEngine)
Two months from now, we had planned to send out our invitations to 3000 people who had signed up to our launch notification list. Naturally, I panicked when we got around to testing feeds and found that the supposedly private discussions of our current users were visible to the public.
August 7, 2013 at 2:57 pm #3317visionsynergyParticipantRe:
Okay, here’s the latest.
@bowe and @r-a-y … you guys are a-w-e-s-o-m-e !!!
Many thanks for saving my life.
For anyone else watching this issue, it appears that the solution from @bowe will work if you want to just turn off all feeds. We also implemented the workaround from @r-a-y and it works as advertised. I still don’t know if this is a one-time fix or a regular maintenance task every time a group/forum is created (until the bug is fixed in the next bbPress release).
December 10, 2013 at 6:48 pm #4066visionsynergyParticipantAfter upgrading to WP 3.7.1 and CBOX 1.0.6
I still have this ongoing issue.
I’m not sure what to do. As I understand the situation, this problem represents a major security flaw.
Every member in my community has the ability to create new groups (public/private/hidden). Every time a private/hidden group is created in my community, I must go to:
Menu > Tools > Forums
and use the bbPress tool:
“Recalculate private and hidden forums”
to reset forum visibility.
Otherwise, forum discussions in my private/hidden groups will be visible in public feeds!
Anyone else have an update or permanent fix on this issue?
This one keeps me up at night.
-
AuthorPosts
- You must be logged in to reply to this topic.