Internal content visible for unregistered visitors

Hi,

on my platform RoundOF I created some pages for unregistered visitors. Internal content should not be visible to visitors. So I configured the external pages so that no menu is visible. But when I type the URL of an internal page, this page is displayed without login. For instance, I changed the visibility of the "View Profile" page so that Unauthenticated users can not see it. But still the profile images and the menu is displayed. Also, when someone guesses an internal address, he may get the "404" page of the system, which will display the menu. In the menu he could access the search function, and the search function displays internal content to visitors.

How can I block visitors from seeing internal content?

Regards
Achim

  • View
    906
  • More
Replies (17)

    • Yes this is a security breach for members. If you want to make profiles private to members only and to entice others to join, there should be no way to see anything if thats how you have it set up. I need this fixed as well.

      • Please could you describe (screenshots if possible) how you configured menu and page to not show for unregistered visitors ? 

        • Achim Wagenknecht and James Zandreiatti Here is the answer to your situations...both of yours. I put this on your other post also James about a loophole in privacy.

          It's not a loop hole nor a security issue, just need to go to Studio --> Developer --> Menus --> Items and select in first drop down box 'System'  and 2nd box 'Site'

          Now for each menu item, click on the Anyone link under Visible to column and change to selected levels, Account, Standard, Moderator, Adminstrator and Premium 

          Do the same thing under Developer --> Pages and change the visibility for all of those. If you do not do this, then you can still go directly to the pages by mysite.com/pages/posts-home but if you do go through and setup visibility on your site, then you will have nothing to worry about. The pages will not be listed in the menu anymore and if they type in directly the url, it will say ACCESS DENIED and nothing will be displayed.

          That's just another great feature and proof of how customizable the platform is. You can micro-manage every asset of the site.

          • Thank you very much, Jeremy!😀  I did this now and it works great. Except that in person's profiles still some sensitive information is visible: the name, the cover image and the profile image of the person. Did I miss something? Can I hide these too?

            • Thank you very much, Jeremy!😀  I did this now and it works great. Except that in person's profiles still some sensitive information is visible: the name, the cover image and the profile image of the person. Did I miss something? Can I hide these too?

              I think that the easiest way to not show profiles publicly using permissions.  Go to Studio > Permissions > Actions > select "Unauthenticated" > turn off "View Person's Profile" action

              • I did this, but cover image, profile image and name are still visible without authentication.

                • Achim Wagenknecht You have to continue to lock it down. You need to go to the Developer module and Menus and lock down the View Persons submenu so that doesn't show up either on page/profile?id=#

                  There is much to lock down. Everything is set to anyone by default. It will take you a while to get everything locked down and completely secure. I know Alex T⚜️ mentioned to set the permissions to OFF for Unathenticated users, but you still have unconfirmed, pending, and suspended users you should adjust permissions of accordingly also. Setting permissions alone isn't enough. Each individual aspect of your site has to be set.

                  • Jeremy Thank you again! OK, now I locked down all 12 items from the View Person submenu. But cover image, profile image and name are still visible. You can try it here: https://roundof.org/page/view-persons-profile?id=219

                    That's one of my test accounts. You'll see 3 items: a picture of a hanging train, a picture of a little plant seedling and the name of that profile: "Reicher Mann" (rich man). These 3 items should be hidden. I can't find out how to hide them.

                    There are no menus except for About, Terms, Privacy, Language, Design, Contact and Copyright. Those should all be visible from outside, so that's ok.

                    • This worked beautifully Jeremy, thank you for your ongoing knowledge and instruction, my friend.

                      • Achim Wagenknecht  Ich weiss das Reicher Mann (rich man). Ich verstehe dich. Ich werde versuchen, es herauszufinden. Ich spreche Deutsch :-)

                        • You're welcome.

                          • For those of us trying to implement this for a private site to invited members only, it sure would be helpful to have just a few buttons to click to change privacy to members in good standing only!

                            • G

                              After you make all the above changes you have to go to Studio -> Pages -> Persons -> "View Profile With Limited Visibility" and at the settings of the page you disable the cover.

                              • Thank you very much, george1 ! Now the settings are perfect. 🙂

                                • G

                                  I also found that you need to edit the cover and visibility settings of all other pages in the Persons module. If someone visits /page/edit-persons-profile?id=219 can see the pictures and name.

                                  • Thank you again! I combed through the settings and changed them. Hope I did not miss one.

                                    • S

                                      Hi, 

                                      on my platform I am having an issue that is closely related to what you described before. As most of the content should be public and I want unauthenticated users to be able to search for content I need to keep the search option available. The issue I am facing is that the headers including the name of user profiles also show up in the search results. I have set the cover visibility to "Enabled for members only" instead of "disabled" and hoped that would do the job aswell. 

                                      I have disabled the items and pages as described by Jeremy , so if I click on the profile it shows "access denied". 

                                      I have reduced the permissions for "View person's profile" as described by Alex T⚜️ , to only standard, premium, moderator and administrator.

                                      I have also deactivated the cover for "View Profile With Limited Visibility" a george1 pointed out.

                                      But I still the covers of the member profiles and the names in the search results.

                                      Can anyone give me a hint as to how to remove them from the search results?

                                      Thank you and regards,


                                      Stephan

                                      Login or Join to comment.