Project

General

Profile

Bug #2122

Private group activity appearing in News feed?

Added by Sarah Morgano about 9 years ago. Updated almost 9 years ago.

Status:
Rejected
Priority name:
Urgent
Assignee:
Category name:
BuddyPress (misc)
Target version:
Start date:
2012-09-12
Due date:
% Done:

0%

Estimated time:

Description

This is really strange, but when I went from the Wiki section to the News section without being logged in I was able to view forum posts and replies from private groups (screenshot attached). When I refreshed the page, the private activity disappeared and I was only able to see public activity. I wasn't able to replicate the issue on Firefox (which I originally used) or IE.

activity_stream.jpg (445 KB) activity_stream.jpg Sarah Morgano, 2012-09-12 11:10 AM
logged-out-active-member.png (582 KB) logged-out-active-member.png Dominic Giglio, 2012-09-30 06:42 PM

History

#1 Updated by Matt Gold about 9 years ago

  • Category name set to BuddyPress (misc)
  • Status changed from New to Assigned
  • Assignee set to Boone Gorges
  • Priority name changed from Normal to Immediate
  • Target version set to 1.4.5
  • Severity set to Critical

#2 Updated by Boone Gorges about 9 years ago

Can't reproduce on any browser. Dom, can you try?

#3 Updated by Matt Gold about 9 years ago

I'm also unable to reproduce - Chrome/OS X

#4 Updated by Dominic Giglio about 9 years ago

I just want to make sure I understand this issue. In Sarah's screenshot you can see the replies from Amanda Matles to the forum in the GC Videography Fellows group, but that is a private group, and since Sarah was not logged in, she should not have seen those replies in the news feed. Is that correct?

I can't reproduce this either. I'm wondering if this is because of a cookie that may have still existed in firefox's cache on Sarah's machine? Her browser "thought" she was still logged in, but when she refreshed, that stale cookie was flushed?

#5 Updated by Matt Gold about 9 years ago

Yes, I think that's correct, Dom.

I'm trying to think of a way in which Sarah's account would have had permission to see private group activity. Boone, could this have something to do with the permissions we've given CFs to create gallery posts on the main blog?

#6 Updated by Boone Gorges about 9 years ago

Her browser "thought" she was still logged in, but when she refreshed, that stale cookie was flushed?

Yes, except that the toolbar in the screenshot shows her as logged out. Logged-in state in the toolbar and in the activity stream should be determined in the same way, using the very same cookies.

Boone, could this have something to do with the permissions we've given CFs to create gallery posts on the main blog?

I doubt it. BuddyPress doesn't look at blog permissions when determining activity streams. It would only matter if she was a super admin on the network.

#7 Updated by Dominic Giglio about 9 years ago

What about the page itself being cached by the browser? Could the news stream have been served out of firefox's local cache (generated the last time she was logged in) while the toolbar correctly reflects her logged out status?

#8 Updated by Sarah Morgano about 9 years ago

I just wanted to add that I'm not a member of any of the private groups I could see activity from.

#9 Updated by Boone Gorges about 9 years ago

Could the news stream have been served out of firefox's local cache (generated the last time she was logged in) while the toolbar correctly reflects her logged out status?

Unlikely. BP and WP do not support any kind of fragment caching like this, and I'm pretty sure that browsers aren't smart enough to do so.

The fact that Sarah was able to see activity from groups she wasn't a member of makes me think that this is not simply an issue of a stray cookie, though to be frank I have no idea where else to look.

#10 Updated by Boone Gorges almost 9 years ago

  • Priority name changed from Immediate to Urgent
  • Target version changed from 1.4.5 to 1.4.6

As it seems that this is not a recurring issue, I'm going to mark it down in priority for the moment and bump it to the next milestone for further testing.

#11 Updated by Dominic Giglio almost 9 years ago

Boone,

After just resetting my password while trying to recreate the error in issue #2146 I noticed something that might have to do with this issue.

Once I reset my password and logged in successfully, I immediately logged out. Once the page refreshed I noticed that I was still listed in the "Who's Online" widget. I'm not sure if that widget uses caching/transients but if the site still "thinks" I'm logged in when I'm not, wouldn't other logged in only content show up as well, like news feeds? At least some of it - theoretically?

I've attached a screenshot showing my member name in the widget and a login link in the buddybar. I've closed the browser window and quit it completely, still thinks I'm an "Online" member.

#12 Updated by Boone Gorges almost 9 years ago

The "Who's Online" query just looks for users who have a last_activity value within the last 5 or 10 minutes (I forget which). It can't really tell whether you're actually online, and it should be unrelated to the issue in this ticket.

Adding Ray as a watcher, in case anything comes to mind for him.

#13 Updated by Dominic Giglio almost 9 years ago

OK, that makes sense.

#14 Updated by Raymond Hoh almost 9 years ago

Boone Gorges wrote:

The "Who's Online" query just looks for users who have a last_activity value within the last 5 or 10 minutes (I forget which). It can't really tell whether you're actually online, and it should be unrelated to the issue in this ticket.

Adding Ray as a watcher, in case anything comes to mind for him.

After looking at bp-custom.php earlier today, I noticed that we actually increased the online, active window from 5 minutes to 60 - see #436. It's not really related to this issue though.

With regards to this issue, I have a feeling Dom has the right idea.

In Firefox (and probably other browsers), if you use the back and forward buttons, you can still view a cached copy of the previous page. It is possible that Sarah might have encountered this behavior.

If Sarah did not use the back and forward buttons, then unfortunately, it's one of those anomalies that we haven't been able to pinpoint yet.

#15 Updated by Matt Gold almost 9 years ago

In Firefox (and probably other browsers), if you use the back and forward buttons, you can still view a cached copy of the previous page. It is possible that Sarah might have encountered this behavior.

The problem with that logic, I think, is that Sarah should not have had permission to view that private activity even if she were logged in (Boone can correct me if I'm wrong).

#16 Updated by Boone Gorges almost 9 years ago

  • Target version changed from 1.4.6 to 1.4.7

#17 Updated by Boone Gorges almost 9 years ago

  • Target version changed from 1.4.7 to 1.4.8

#18 Updated by Boone Gorges almost 9 years ago

  • Target version changed from 1.4.8 to 1.4.9

#19 Updated by Boone Gorges almost 9 years ago

  • Target version changed from 1.4.9 to 1.4.10

#20 Updated by Boone Gorges almost 9 years ago

  • Target version changed from 1.4.10 to 1.4.11

#21 Updated by Boone Gorges almost 9 years ago

  • Target version changed from 1.4.11 to 1.4.12

#22 Updated by Boone Gorges almost 9 years ago

  • Target version changed from 1.4.12 to 1.4.13

#23 Updated by Boone Gorges almost 9 years ago

  • Status changed from Assigned to Rejected

I'm closing this ticket because we've been unable to reproduce the issue. Please reopen if you can provide steps.

Also available in: Atom PDF