Opened 6 years ago

Closed 6 years ago

#1975 closed bug (fixed)

Group members shown with username and age when browsing groups as non member

Reported by: shevek Owned by: shevek
Priority: critical Milestone: 1.6
Component: BW Group Keywords:
Cc:

Description

When browsing the groups all members can be browsed with there username and age. This is a severe privacy issue and needs to be addressed.

Change History (26)

comment:1 Changed 6 years ago by shevek

  • Milestone changed from unassigned to 1.6
  • Status changed from new to local_testing
  • Type changed from unknown to bug

Hide all members with non public profiles. Hide all group admins (except all members have public profiles). Show a hint that there are more members.

Fixed with: https://gitorious.org/bewelcome/rox/commit/7b4fd4d5ed9625a20e0a8295a00dc83e8bfde818

comment:2 Changed 6 years ago by midsch

I can access the lists of group members, but non-public members are ignored. But it's still possible to find out some group members with non-public profiles: in the overview and the discussions is a list of threads and the poster of the initial post is visible if the posting setting is worldwide. This is similar to public forum posts, but if the goal is to protect group memberships from not logged in visitors, the issue is not solved.

When not logged in:

  • localhost/members/$username/groups shows login for non-public members -> ok / for public profiles /members/$username/groups = localhost/members/$username/ is this intentional? The all-groups-page of a member with a public profile is not accessible this way.
  • Group admins are not visible in any case - intentional?

Another issue:

  • localhost/groups/$groupID when logged in I've got the link to localhost/groups/groupID/members , when logout there's only the string "GroupMoreMembers? [2]" (the number is changing).
Last edited 6 years ago by midsch (previous) (diff)

comment:3 Changed 6 years ago by midsch

  • Status changed from local_testing to needs_work

comment:4 Changed 6 years ago by shevek

Before the changes I did your membership and username was even revealed if you never posted anything to a world visible thread. So at least that's an improvement.

The string you see is the placeholder for the message that should be shown in this case. The number is the number of additional members that would be visible if you're logged in.

As I didn't want to add the same to the group admins I decided to hide the entire section if no member is logged in.

comment:5 Changed 6 years ago by midsch

Yes, it is an improvement and it works locally. So it can't harm to release it. But it should not set to resolved/fixed. (Logout for today ...)

comment:6 Changed 6 years ago by shevek

The problem mentioned in the bug report is solved as it clearly only concerns the member list.

I agree that we might want to discuss if the visibility of usernames for non logged in members (e.g. Google) for world posts is fine or not. That should be a different ticket or a discussion in the forum, though.

comment:7 Changed 6 years ago by shevek

  • Status changed from needs_work to local_testing

comment:8 Changed 6 years ago by shevek

  • Status changed from local_testing to to_alpha

Clear for alpha according to midsch statement that it works locally.

comment:9 Changed 6 years ago by crumbking

there is a "GroupMoreMembers? [1]" on the overview? Seems not be reachable via on page translation. We might wanna add a "Login to see more group members" like I did in browse countries.What do you think? The number counter is not so important in this case.

comment:10 Changed 6 years ago by shevek

The GroupMoreMembers? is exactly for that purpose, just with the added info how many more members there are (like on /searchmembers). It obviously can only be translated through admin words as the string will never be visible to logged-in members.

comment:11 Changed 6 years ago by shevek

  • Status changed from to_alpha to testing

comment:12 Changed 6 years ago by crumbking

http://alpha.bewelcome.org/groups/77/members

  • pagination seems to be wrong. Last pages are empty while not logged in.
  • the "Log in to see XX members more" should have a link to the login widget, as it's done in the comment section

comment:13 Changed 6 years ago by shevek

Set number of items for pagination to the number of 'visible' members: https://www.gitorious.org/bewelcome/rox/commit/51f1c481f5e8d2b7e05b5ab8ee40aba0a28d5a1c

The missing link is a translation issue.

comment:14 Changed 6 years ago by shevek

  • Status changed from testing to needs_work

comment:15 Changed 6 years ago by shevek

  • Status changed from needs_work to local_testing

comment:16 Changed 6 years ago by shevek

  • Status changed from local_testing to to_alpha

comment:17 Changed 6 years ago by shevek

  • Status changed from to_alpha to testing

comment:18 Changed 6 years ago by crumbking

  • pagination works
  • Could you propose the right translation for the GroupMoreMembers

note for me:

  • give the table in groups/XX/members a 100% width and align the table headline left.

comment:19 Changed 6 years ago by crumbking

  • Status changed from testing to needs_work

100% table

  • Could you propose the right translation for the GroupMoreMembers ?

comment:20 Changed 6 years ago by crumbking

  • Status changed from needs_work to local_testing

comment:21 Changed 6 years ago by shevek

This is the right translation: "%2$s to see more %1$s members". %2$s will be replaced with the login link.

After this commit is deployed: https://www.gitorious.org/bewelcome/rox/commit/ed80d76bf28eb836aba3e76e307ec38b3251b129

Portuguese is already translated, though and needs to be updated.

comment:22 Changed 6 years ago by shevek

  • Status changed from local_testing to to_alpha

Deployed to alpha.

comment:23 Changed 6 years ago by shevek

  • Status changed from to_alpha to testing

comment:24 Changed 6 years ago by crumbking

Maybe it wasn't a good idea to use an old wordcode. As it looks here now like: "Anmelden to see more 61 members". Also if in case someone needs another "Fall" in one language they can't change it.

Maybe something like this: https://www.gitorious.org/bewelcome/rox/blobs/master/build/shouts/templates/shoutlist.php#line140 and this https://www.gitorious.org/bewelcome/rox/blobs/master/build/shouts/templates/shoutlist.php#line37 might do it...

comment:25 Changed 6 years ago by shevek

Luckily someone updated the word code already. I thought about adding a new word code but as you can't translate that one using normal translation links that didn't see like a good option either.

comment:26 Changed 6 years ago by sitatara

  • Resolution set to fixed
  • Status changed from testing to closed

I corrected the translation for GroupMoreMembers? to "%2$s to see %1$s more members" and tested the visibility of group members.

As far as I can see, the scope of this ticket is fulfilled. I do not see an issue with showing usernames together with public posts because everyone can now clearly choose the visibility him-/herself for each post (although I would wish for a personal privacy setting to make ALL one's posts visible to members only - also retroactively, especially because the visibility settings were far from obvious in the past).

However, there is another issue related to this one on the groups pages that I just noticed: The comments are visible and showing the username of the poster when logged out. For those comments there are no visibility settings available. So, if someone posts a comment and has a non-public profile his/her username will be shown there.

OK, I'll close this ticket and open 2 new ones: #1987 and #1988

Note: See TracTickets for help on using tickets.