[buddypress-trac] [BuddyPress] #2293: Hidden groups activity shows in friends > activity screen of non group members
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Thu Apr 8 06:48:16 UTC 2010
#2293: Hidden groups activity shows in friends > activity screen of non group
members
--------------------+-------------------------------------------------------
Reporter: hnla | Owner:
Type: defect | Status: new
Priority: major | Milestone: 1.3
Component: Core | Keywords: hidden groups activity
--------------------+-------------------------------------------------------
Bob & Alice are friends.
Alice is a member of a Hidden group.
Bob is '''not''' a member of that same hidden group.
Bob logs in and navigates to his account/profile
Bob clicks link 'activity > friends'
Bob now sees all activity generated by his friends in all? areas.
Bob notices that Alice has posted to a group he hasn't seen before, he can
read the latest comment she has made but he can't access the group via the
links 'Group Name' or 'View' as he is correctly denied access -
'''however''' Bob finds that he can use the 'Reply' link on the update and
effectively post a reply to the group! this now appears threaded in the
update view on his screen.
Alice logs in and visits the hidden group where she finds a reply to the
last update she made but from a user who is not an invited member of this
hidden group.
Noticed in 1.2.2.1
Tested and confirmed same behavior in 1.2.3
While this defect exists hidden groups are open and not safe to use as
suggested by their description.
--
Ticket URL: <http://trac.buddypress.org/ticket/2293>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list