Support » Plugin: Redis Object Cache » Bbpress comments leak emails

  • Resolved darkpollo

    (@darkpollo)


    Hi,
    I am testing the plugin again with an installation of BBPress https://es.wordpress.org/plugins/bbpress/
    There is an option on that plugin to prevent login and use all discussion as comments.
    So the user fill up email and name and they can post a comment into a topic.
    https://ps.w.org/bbpress/assets/screenshot-4.png?rev=872931
    Called Anonymous posting on their settings.

    When using this feature with Redis Object Cache, the email and name of the user is leaked ot other users.
    To test it:
    – activate object cache.
    – Go into a topic with 2 different browsers not logged in (I even used a VPN on one of them to simulate a different IP).
    – Post a comment with your email on one of them.
    – Refresh the page on the other user, that second user will have the email and name pre-filled on the comment section.

    I tried to disable the groups for bbpress, but the email for comments was still leaking.
    Is there any group I should disable to make this work?

    Thanks!

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Till Krüss

    (@tillkruess)

    Hi @darkpollo,

    if you disabled the bbPress cache groups and the issue persists, then this is a bug in bbPress itself. Can you post it in their support forum and link it here for me to chime in?

    darkpollo

    (@darkpollo)

    This is not Buddyppres but bbpress forums, there are no groups, they are topics and comments on topics, so comments and posts.
    Does the system store the comment email data somewhere?

    I will create the topic right away and send you the link.

    Plugin Author Till Krüss

    (@tillkruess)

    I’d use Query Monitor to find out which cache groups bbpress uses and try ignoring them.

    Sorry I couldn´t reply before.

    We fixed the issue and it was not a Redis issue but a problem with cache and the way the cookies are set on bbpress.
    They use the same cookies as WordPress but they cannot be disabled as they do not provide a filter or a hook to do it.
    A big issue on this GDPR era, but nothing to do with your plugin.

    Sorry for the confusion.

    Plugin Author Till Krüss

    (@tillkruess)

    Glad you got it resolved!

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.