Group permissions broken - private content accessible to all

In 1.7.10 I have a test group setup so that no one except my test accounts should see it. The membership permissions are:

  • Group membership permissions: "Closed - users must be invited"
  • Who can see this group: "Friends"

But other site users (who are NOT friends and NOT members of my test group) can see the topic titles in the "Latest discussion" view of <site namet>/pg/groups/all/, and they can also click the topic name in that "latest discussion view" and see the content of the private group topic. The URL is a standard topic URL with the permissions as above: <site-name>/pg/forum/topic/<topic-id>/<title>/

Anyne else see this problem in 1.7.10 or other versions? Basically people who aren't supposed to see group content can get in w/o a hitch.

  • Most likely (probably) a flaw in the data model logic - Group Permissions and Comments (annotations) are different attributes..

  • I've confirmed they can see the topic names in the Latest Discussion, but it doesn't allow you to see the actual posts in 1.7.11. If you set the group to an access level the testing user can't see, it breaks completely, but they still can't see the content.

    There are four systems at work here that confuse this:

    1. The group's "join" setting.

    2. The group's "hidden" setting. (Allow hidden / private groups in the plugin settings for groups in the admin area)

    3. The topic's actual permissions. (Private, Logged in users, Friends, etc).

    4. Admin permission overrides. Admins can see everything.

    The short story is the group is just a container, and content can have its own access separate from the group's access. 

  • #4 -- yep ;) too much flexibility & power ! i once coded something some time.. ago -- to make "closed" groups kinda really *closed regardless of topics' accesses ;( so that the group's accesses automatically cascaded downward for eternity. Groups PlugIn has been cited before as being 'clunky' like / messy to play with ;O.. I wonder if we'll get a more streamlined piece of code anytime or.. one's gotta re-write a new 'Groups' ?

  • even in 1.7.11?

    That means that you have to manage the content of titles and avoid descriptive topic titles that that might be sensitive. That means no private HR topcs like "Planned reduction in benefits" or "Layoff plans for Q3" or anything of that sort.

    My expectations were more inline with Dhrups comment - I would think that the topic inherits the group permissions and comments inherit the topic permissions.

    Still, the fact that my "Friends only" group was still showing up in the Public topic list.

    Bummer. That means more thinking.

  • Unfortunately the groups plugin is pretty convoluted and the victim of intense feature and scope creep. It's pending a rewrite, but we haven't had enough time.

    It would be fairly easy to write a plugin that hides the access dropdown in the topic form, then overrides the action for create topic and reply and make those both inherit the access level of the group they're posted under. It's not out of the box, but should do what you want.

  • Yep, After "patching" Groups code for BrainTrainZ and for JedSite and momentariliy feeling warm and fuzzy about the (sic) achievement - going back over the 'Core' interlacings ;( I was 2/3 sorry for having dabbled in that sector.

    The Access control cascade extensions though were (hack) coded (quite messy!) into the 'Clone' of Groups - calling it a different Groups PlugIn ;-O For a second shot I'd either code very differently (first cut was a rather long young time ago) or leave it well enuff alone.I think posted similar sentiments when Group's were first being discussed (to the point of getting it's own Group Topic). The slightly neater option seemed to be the the SuperGroups 'fork' by Zak.

    An *alternative Groups PlugIn might be a better way to go if one does not want to delve into Groups and related Core code areas. Though I 1/2 wish I could find or 'make' the spare time needed to try a proper-like formal re-write.. Any volunteers to join or support lolz ?

    ( Within a few minutes of yr posting is pure coincidence ;)