[buddypress-trac] [BuddyPress] #3462: Hidden groups are accessible via url

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Sun Oct 9 16:28:29 UTC 2011

#3462: Hidden groups are accessible via url
 Reporter:  modemlooper   |       Owner:
     Type:  defect (bug)  |      Status:  assigned
 Priority:  normal        |   Milestone:  1.6
Component:  Core          |     Version:  1.5
 Severity:  normal        |  Resolution:
 Keywords:                |
Changes (by DJPaul):

 * owner:  DJPaul =>


 Having reviewed the code and my earlier assumption when working on #3669.
 My point about the above links is still valid, but I've learnt the groups
 do redirect to the first URL and display a "you don't have access"
 message, so it's not as simple as removing an !empty() check, which is
 what I thought the problem was originally.

 As Public and Private groups can be read by any user, I think the current
 behaviour is fine; especially for Private groups, as the user needs to be
 able to request membership somehow (a site may not use the groups
 directory, for example).

 For Hidden groups, I think we should change the behaviour so that if you
 don't have access, (all of) the link(s) 404. At the minute, you can see a
 "this is a hidden group and only invited members can join" message, but
 you can view the group title, description, and see the admin/moderator
 This would be the same behaviour as if you try to access the group admin
 page URL without authorisation (it 404s), and I think it would be more
 consistent, as well as having the benefit of keeping the hidden group's
 title and description hidden.

 The latter could be achieved by updating the templates but that means
 putting core logic into the default theme(!).

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/3462#comment:3>
BuddyPress <http://buddypress.org/>

More information about the buddypress-trac mailing list