Comments visibility - privacy breach
So, here we are:
1. User Admin created Friends_Only discussion named "Lock" (pic bbb)
2. User Vavilon (friend of Admin) put comment on there (pic ccc)
3. user Coup ( who IS friend of Vavilon, but IS NOT FRIEND of Admin) received to his email notification that friend Vavilon posted comments in Admin's discussion (which is not OK for me, I don't want my friends to know ALL my interactions with other friends ) (pic ddd)
4. user Coup going by link and CAN SEE comment of user Vavilon (who is friend of user Coup) to user Admin (who is not friend of user Coup) in Freinds_Only content (wich is not OK - twice)
5. user Coup can copy link from email notification and spred it over the www because everybody with this link can see the comment of Vavilon to Admin, even unauthenticated persons (pic eee) ((wich is not OK - triple)
Guys, IMHO, it's serious security issue, positions 3-4-5 needs to be closed. (Can we stop position 3 in Notifications checkboxes? which one?)
Thanx in advance.
-
bump?
-
Thank you for bringing this up. We are working on a new approach to privacy and so called “audience” right now and will address this issue. Techs will comment on which notification to turn off shortly.
-
Thanx Andrew. When to expect the new approach's arrival?
-
That’s one of the main reasons we are delaying RC7 a bit (it will be called GM1 most likely). The change involves almost all modules and definitely needs live testing. Early next week we hope to roll it out to a couple of live sites and then proceed to release. No specific date yet, but we do want to turn around within this month.
-
Thank you for the report:
