Rider

Group Collaboration : All private topics become public in the profile's news feed !!

Recommended Posts

Hello @Kevin Carwile

I just noticed that on a private Group Collaboration in where topics are totally private and not accessible to guests, it's enough for the guest to go through the profile of a forum member to be able to access all topics from his news feed even if these topics are private! O.o

Indeed, if a guest click on the username of a forum member, he can read the content of topics from a sub-forum where he do not have access to...

Here are the steps to reproduce this problem :

  • I am connecting to the site as a user
  • I access to a private Group Collaboration whose content is totally private and not available to guests only for Group Collaboration members. I am not a member of the private Group Collaboration. 
  • I can't read or see anything from this private Group Collaboration. 
  • I click on the avatar of Group Collaboration member, and I access its news feed.
  • I can see the content of private topics that I do not normally have access to on the Group Collaboration because I am not a member of the group.
  • If I click on the topic, only then I get the message "The club content is only visible to members".
  • I can get the same result from the "All activity" feed on the site. 

It seems to me to be a serious permissions bug at the Group Collaboration that needs to be fixed. 

Can you please tell me how to fix it or if it is a technical bug to fix it quickly.

Thank you for your advice

Share this post


Link to post
Share on other sites

I cannot confirm this.

  1. I created a collab.
  2. I created a forum inside that collab
  3. I set the forum permissions so that non-collab members are not permitted to see the forum or read the topics
  4. I posted in that forum.
  5. I logged into the site as a different user who is not joined to the collab.
  6. I viewed the user profile who I posted with in step 4. I could not see the post in the user activity tab. I could not see the post in the site activity feed either.
  7. I logged back in as the original user who is part of the collab and changed the forum permissions to allow non collab members to be able to see the forum and read the topics.
  8. I logged back in as the user in step 5. I was now able to see the post in the user activity feed as well as the site feed.

I need you to be very specific as to your collab configuration. How is it that you've configured the topics in question to be "totally private and not accessible to guests".

Share this post


Link to post
Share on other sites

Hello @Kevin Carwile

Thank you for your quick feedback. The steps described are exactly the right thing to do, you have understood the situation.

Can you please try to do the same thing again by activating Elasticsearch instead of MySQL for the search and see if you get the same result ?

Regards. 

Share this post


Link to post
Share on other sites

The collab search was never tested against an elastic search implementation. I was able to confirm that the problem does occur with an ElasticSearch index and not a MySQL index.

I published a new version of GC with support for the ElasticSearch index which should solve this problem.

However, in the process of troubleshooting this issue and adding support to GC, I noticed a bug in core IPS which causes the permissions to be saved incorrectly to the ElasticSearch index when you edit the permissions of a node. This means that after rebuilding your index, the permissions issue should be fixed, but if you update the permissions for a node, it can then be incorrectly omitted from searches/activity feeds. This is the opposite problem of it being incorrectly exposed, but nevertheless, a problem.

You can report that particular bug to IPS support. The bug is located at:
./system/Content/Search/Elastic/Index.php : line 623

The permissions should not be saved to the index as a json encoded string, but rather saved directly as an array for proper searchability.

Share this post


Link to post
Share on other sites
On 2/27/2019 at 9:33 PM, Kevin Carwile said:

I published a new version of GC with support for the ElasticSearch index which should solve this problem.

Thank you very much for this patch that actually fixes this problem. in addition, it also fixed the other problem of Activity Feed Displays (The Feed Of All The Site Projects Instead Of My Project Feed) that I reported to you in this topic

So all is ok for the moment :)

It's noted for the IPS bug

Thank's

SOLVED

Share this post


Link to post
Share on other sites

Your content will need to be approved by a moderator

Guest
You are commenting as a guest. If you have an account, please sign in.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.