Restricting access to user information

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Restricting access to user information

robhoare
Is there way a way to set permissions on the user information page?  This is the page you get when clicking on a user name, showing the details of a user and the subjects of all their posts.

Currently, all this information is available to anybody (even unregistered visitors).  It includes, for example, the subject line of topics posted in member-only (private) forums.  So it means that anybody can see what subjects are being discussed in sub-forums which have permissions set to members-only, without being a member.

Best of all would be to follow the permissions on this page, if somebody is unregistered they should not be able to see the subject lines.  It should be restricted to users who have the right permissions on that sub-forum.
Reply | Threaded
Open this post in threaded view
|

Re: Restricting access to user information

GregChapman
Have I missed your point or have you missed the Show_group_members option (Which groups allow members to be listed) on the Permissions page?
       
Volunteer Helper - but recommending that users move off the platform!
Once the admin for GregHelp now deleted.
Reply | Threaded
Open this post in threaded view
|

Re: Restricting access to user information

robhoare
Greg, this seems to be two different things.  The Show_group_members is for allowing (or not) members of a group to be listed, rather than allowing (or not) the details of an individual member's activity to be listed.

Even with Show_group_members turned off for every group, it's possible to get the subjects of posts of the founder (from the home page link), and of any member who posts in public groups, even posts that are in members-only groups.

Take for example my name at the footer of http://www.riocoloradoestates.com .  Click on it to get a list of all my (test) messages.  The "General Discussion" section is a private section, below "Members Only" which is restricted to those in the "members" group.  The page clearly knows this, as it marks them as "private" (and, when they're clicked on, the access controls work).  

However, I don't think it's intentional for the names of private groups (in this case, "General Discussion"), which would not otherwise be known to non-members, and even the subject of every post of every thread I've contributed to in those private areas, to be visible to all, even those who have never registered.  

For my particular application (a message board for a home owner's association), the main aim of privacy in this case is to hide messages like "the Smiths will be away for a month" from burglers etc., which is why even the subject being visible to all is not a good idea.  

Others may have more to hide, and not realise the subjects of everything they're discussing (e.g. "Confidential - Our new model will be launched May 5th") or a sub-topic ("Jones takeover plans") are being leaked.

A work-around for those who want their subjects hidden would be to never post anything in any section which is not hidden (or have no public sections at all), because it will reveal their username and give a link to the subjects of all their "hidden" posts (and use a separate, non-posting, id for the creator of the board, as that name can't be removed from the home page).  Even then a brute-force attack stepping through the node numbers would get the user info pages eventually.

A solution would be to apply the topic permissions to the subject listing.  The user info page already knows these subjects are private (it puts "private" after them), so there's no extra look-up needed.  So rather than putting that, it should not show the subject or sub-topic, unless the user looking has the right permissions to see the message contents.  

Another solution, maybe simpler, is to put group permissions on the user info pages /template/NamlServlet.jtp?macro=user_nodes&user= , so they can optionally be restricted to being seen by certain groups, rather than visible to even unregistered visitors, as at present.

Rob
Reply | Threaded
Open this post in threaded view
|

Re: Restricting access to user information

GregChapman
You are right, it is two different things - and it does appear to be a bug.

I have raised an issue concerning privacy before, but that was related to the different way that the different applications seem to treat the "View" permission.

In my case it concerned how, in a MIXED forum, I could hide a sub-forum but from authenticed users, but not when the top-level application was a FORUM, but then, in my MIXED forum it did not show to member users and could only be accessed via a direct URL. Certainly, the behaviour does not seem intuitive to me.

At least with your query it seems easy to understand - and wrong!
Volunteer Helper - but recommending that users move off the platform!
Once the admin for GregHelp now deleted.
Reply | Threaded
Open this post in threaded view
|

Re: Restricting access to user information

robhoare
Thanks Greg.  

It does seem to be a bug in the permissions system.  Or maybe intentional (putting "private" after the messages shows there has been some thought as to what to do with them), but still wrong.

How do I go about reporting a bug?  Is this thread here enough, or is there a bug tracker?

I had a look through many of the other Nabble forums and couldn't find any that had an open sub-topic (my "how to join" topic), and some private sub-topics.  Most other forums are either entirely open, or entirely private (first screen is a logon screen).  So this may be why it hasn't been spotted before.
Reply | Threaded
Open this post in threaded view
|

Re: Restricting access to user information

GregChapman
This thread should be enough, though sometimes the Nabble folk miss things here, when a post in the Premium Forum can give them a nudge.
Volunteer Helper - but recommending that users move off the platform!
Once the admin for GregHelp now deleted.