[buddypress-trac] [BuddyPress] #2293: Hidden groups activity shows in friends > activity screen of non group members

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Thu Apr 15 16:54:59 UTC 2010

#2293: Hidden groups activity shows in friends > activity screen of non group
 Reporter:  hnla      |       Owner:                          
     Type:  defect    |      Status:  new                     
 Priority:  critical  |   Milestone:  1.3                     
Component:  Core      |    Keywords:  has-patch, needs-testing

Comment(by hnla):

 Replying to [comment:6 boonebgorges]:
 > hnla - The tone of your original bug report "however Bob finds he can
 stil use the Reply link" made it sound like the reply link was the
 problem. Do you think that the entire activity item should be hidden? Now
 that I think about it, I'm leaning toward yes - if I post something in a
 private group, I am assuming that the content of what I post (even if it's
 just an excerpt as shown in an activity item) should not be visible to
 outsiders, even if they are my friends. Does that seem right?

 Sorry if it was confusing it was an attempt to impart all the steps and

 The primary concern was that the Hidden group activity was showing up in
 an activity stream of a user who wasn't a member of that group but was
 shown to them due to the fact that they were '''Friends''' with someone
 who was a member of that hidden group, the issue proved to be further
 compounded by the fact that the user NOT a member of this hidden group was
 able to use the reply button to add a response to the update made tothe
 hidden group.

 Ergo there is a fatal flaw in the activity logic it hasn't taken into
 account members being friends BUT NOT necessarily BOTH being members of
 the same hidden group, the friends activity is broken as such and in a
 critical manner. A hidden group MUST be just that if we have sensitive
 discussions underway  we do not want them seen by uninvited members.

 So yes I do think that the entire activity of that group must be hidden,
 and I'm leaning towards the safest option being ALWAYS and despite a user
 having access to that group, simply do not bring Hidden group activity
 into any site wide stream it's too risky, members of hidden groups will
 visit that group they do not need to see updates in the general activity

Ticket URL: <http://trac.buddypress.org/ticket/2293#comment:7>
BuddyPress <http://buddypress.org/>

More information about the buddypress-trac mailing list