[Plugin: Private groups] Forums still directly accessible via URL

[Frank]

Thanks for making this plug-in! After some issues installing it (updated BBPress after installing Private Groups, which apparently necessitated a re-install of Private Groups) everything is working as it should.

However: there’s one issue with accessibility of forums which should not be accessible. Situation:

1. I have 4 forums: Course Information 2013, Course Reading 2013, Course Information 2014 and Course Reading 2014. All forums are set to ‘Private’.

2. The two 2013-forums are in forum group ‘2013’, the 2014-forums in forum group ‘2014’.

3. I have created a user (Pete) who only has access to ‘2014’, i.e. when I log in as this user I can only see the two 2014-forums.

That’s all good, but due to the nature of the names of my forums, students from 2014 can easily guess the URL of last year’s forums. By changing the URL from /forum/course-reading-2014 to /forum/course-reading-2013, Pete actually has full access to last year’s forums where he can see all the answers his predecessors have given to the questions he’ll be asked!

Clearly this is no good – the plugin seems to simply hide the forums from view, but not block access to them via direct URL. Is there a way to make it so that when an unauthorized user attempts to visit a forum he has no access to, he gets the same message a non-logged-in user would get, i.e. ‘page not found’?

https://wordpress.org/plugins/bbp-private-groups/

[Robin W]

Thanks for this post, and I am not sure if this relates to the sub-forums in your other post.

Can you confirm that each forum has a private group set?

[Robin W]

I’ve just set up a test, and it does not let you in via url, which is as I expected.

you should get a 404 page not found error.

are you finding that is this only for logged in users, or can anyone with url see the wrong ones?

[Frank]

Hi Robin!

Confirmed: each forum has a private group set. And like I said it works as expected (you only see the forums that are allowed for your group) as long as visitors don’t play around with the URL’s.

If you are not logged in you cannot see the forums, whether you try via the website or directly via URL. Only logged-in users can see the forums (either the ones they are supposed to see, or the other ones via URL).

[Robin W]

ok I’ll set up excactly as you, so can you list

wordpress version
bbpress version
theme
all plugins

Also can you list the private groups settings below :

Forum visibility :
Activate checked?
Redirect pages :
Freshness settings checked?
Freshness message?

General settings :
Hide topics and reply counts ?
Show descriptions ?
Private pre-fix

Group settings
the names for each group

[Frank]

Thanks for being so thorough, Robin! Here we go:

WordPress version: 3.9.2
bbPress version: 2.5.4
Theme: Twenty Twelve

All other active plugins:
– bbP Private Groups – 2.0.1
– bbPress New Topic Emailer – 1.0 (used to send me a notification when new topics are created)
– Cimy User Extra Fields – 2.5.0 (used to create a field for student number when people register for the site)
– FBF – Facebook Page Feed Widget – 1.2.1 (used to display faculty Facebook-feed)
– Google Analytics – 1.0.5
– Quick Chat – 4.13 (used to put chat-box on the live-stream page)
– SB Welcome Email Editor – 3.7 (used to edit the welcome-e-mail)

Deactivated plugins:
– Hello Dolly – 1.6
– User Role Editor – 3.10

Background info: last year I set all the forums to ‘hidden’ and used the User Role Editor to give students’ accounts access to them (allow them to read hidden forums). Now, with students in different years this will no longer work, and I’d like to use your plugin instead. I have therefore *first* disabled the ‘read hidden forums’ option for all users (so none of the students could read the hidden forums any longer), after which I deactivated the User Role Editor and started setting up your plugin.

Also can you list the private groups settings below:

Forum visibility:
Activate checked? – no, not checked
Redirect pages: – empty, n/a
Freshness settings checked? – no, not checked
Freshness message? – empty, n/a

General settings:
Hide topics and reply counts? – no, not checked
Show descriptions? – no, not checked
Private pre-fix – yes, checked

Group settings
– group1: Staf
– group2: Studenten 2013-2014
– group3: Studenten 2014-2015

These are the names of my forums:
– ‘Cursusinformatie’ (Private, forum groups 1 & 3 checked)
– ‘Bespreking literatuur’ (Private, forum groups 1 & 3 checked)
– ‘Cursusinformatie (2013-2014)’ (Private, forum groups 1 & 2 checked)
– ‘Bespreking literatuur (2013-2014)’ (Private, forum groups 1 & 2 checked)

You can find my website here, and if you want, you can login using credentials demostudent / kijk eens rond. If you do, you’ll be able to see only the two new forums, but if you open any topic and change the URL (you’ll see how) you get access to the old topic (so far all the new topics also exist, with the same name) in the old forums.

Details about user ‘demostudent’: it’s is in private group 3, it’s role is ‘Subscriber’, forum role is set to ‘Participant’.

I’ve manually changed the URL’s of the old forums so that you can no longer do the above trick for the whole forum. After you login as demostudent you can still reach them though:
– Bespreking literatuur (2013-2014)
–Cursusinformatie (2013-2014)

One more thing: under Tools -> Forums -> Repair Forums I’ve recalculated private and hidden forums – to no avail.

I’m going to make a back-up right now and then try to de-activate the other plugins one by one, and see if that makes a difference.

Update: I’ve disabled all of the plugins one by one, then logged off and on as demostudent and checked if that helped. Did not make any difference. All of the plugins (including bbPress) have now been deactivated and re-activated one by one.

[Frank]

Update: I figured that the User Role Editor would be a likely suspect, even though it was de-activated. I decided to activate it once again and check its settings. Apparently for the role ‘Subscriber’ the custom capability ‘read hidden forums’ was activated. I’ve proceeded to reset the settings to WordPress defaults.

This definitely changed something! Now demostudent (subscriber) can still see the two forums he’s supposed to see, but he can now no longer see any of the topics (‘Oh bother! No topics were found here!’). Also: if I try to open an old forum directly via URL I get a page-not-found – which is good! There’s now a difference between trying to visit a forum that is allowed and one that isn’t – except that no topics are now showing.

If I log in as administrator and visit the forum I do get to see the topics.

Will report back!

[Frank]

I think it’s fixed! Sorry ’bout all the fuss 🙂 Here’s what happened after my last post:

– I disabled Private Groups and bbPress completely.
– Re-enabled only bbPress and checked the forums as demostudent. All the forums show up, but I can’t see the topics in any of them.
– I’ve set forum ‘Cursusinformatie’ to public instead of private. Now demostudent can see the topics!
– I then set ‘Cursusinformatie’ back to private, and demostudent could still see the topics!
– I then did the same for the other four forums, after which demostudent could now see the topics in all the forums.
– Finally I re-enabled Private Groups after which demostudent could only see the two forums relevant for his year, and importantly: he gets a page-not-found error if he tries to visit the old forums directly via URL.

Succes! 😀

[Robin W]

Brilliant -I am really pleased that this is fixed, it’s usually a combination of things, but tracking the down is not always easy.

No problem in helping you where I can so please don’t apologise about the ‘fuss’ !

I’ll mark this one as resolved

[Frank]

Cheers, thanks Robin!