Poll plugin from Jerome Bakker has a security issue

I finally got around to installing Jerome Bakker's Poll plugin. https://elgg.org/plugins/2472711

I do like it... but here's a caution:

The Poll plugin doesn't play nicely with Groups. As a result, I'm restricting poll creation within Groups to group owners. You may want to do the same.

If you create a poll and allow it to be accessible to "Logged in users," anyone who takes the poll can see everything else in the group. Sadly, the Poll plugin exposes group security if you make just the poll available to everyone.

This is an issue even when _Accessibility of group content_ is set to "Members only" and when _Default group content access_ is set to "Group members only."

Compare this to Pages, which respects Group security. In the Pages menu, you can _preview_ a page from a Group, but if you try to view it, you get taken to the Group home, and two messages are displayed:

  • "You must be a member of this group to view the requested page." (pop-up)
  • "This group's content is accessible only by members."