We have a problem where private pictures in social groups are visible to all. Could someone point me in the direction of the right permission setting please!

The pictures are in private albums ("mods and contacts only") and are not visible from the user's profile.

The pictures are added to an invitation only social group - with "users must join to view content". The messages in these groups aren't visible to non-members. On the group.php page the "messages" column has numbers with no links, but the "pictures" column has numbers with working links and these link to the private pictures in the group even for non group members.

All our social group templates are defaults.

thanks
kirsty

I cannot duplicate this. Please provide a link to such a picture.

Hi kirsty

we had the same problem and although I am not the techy our programmer managed to removed the linked ability for the numbers of pictures listed in each group so that they could not be reached by members who weren't invited to that social group. See here:

http://www.birth.com.au/forum/group.php

However, we also want to do this for the list of members. At the moment you can click on the numbers in that member column and see who the members of that group are even if you are not a member. Our programmer tried to do this with this column as well but couldnt work out how....any help appreciated :)

Try setting 'Can View Social Groups' to 'No.'

Setting to 'no' means no members can view the social groups at all. We want the social groups seen, just not the individual members of 'invite only' groups viewable. Maybe in the the next version ??

I do not see a setting for that. Sorry.

I cannot duplicate this. Please provide a link to such a picture.

Well the pictures are like: http://forums.loquax.co.uk/picture.php?pictureid=155&groupid=19&dl=1214605132&thumb=1

I'm not worried about anyone being able to see those though - the numbers need to match up for the pictures to be viewable - as long as you don't have the link the pictures are pretty much private. I guess this was designed that way and I'm quite happy with that.

The group pictures pages are visible [to any logged in user] at http://forums.loquax.co.uk/group.php?do=grouppictures&groupid=19 though, so even if I remove the links to the group picture pages from the group listing page (as cpb suggests) they would still be easily viewable by anyone being nosey!

If a logged in user who doesn't belong to a social group guesses at the url http://forums.loquax.co.uk/group.php?groupid=19 to see the messages then they see "You need to be a member of this group to view its contents".

I was guessing there was a usergroup permission wrong somewhere that was making group pictures viewable by all registered users rather than just group members, mods & admins. Is this not the case?

thanks
kirsty

Sorry but that is not a valid link. I still have no idea what you mean.

I'll try and explain in a different way.

In the socialgroups_group template there is some code that stops users without access to a particular social group from viewing the messages, instead they see "You need to be a member of this group to view its contents".


<if condition="!$group['canviewcontent']">
<div class="alt2 block_row">$vbphrase[must_join_to_view]</div>
</if>
However in socialgroups_pictures there doesn't appear to be any kind of equivalent protection.

I've just changed the default socialgroups_pictures template from this:


<td class="alt1 floatcontainer" id="picturebits">
<if condition="$picturebits">
$picturebits
<else />
$vbphrase[no_pictures_added_group_yet]
<if condition="$show['add_pictures_link']"><a href="group.php?$session[sessionurl]do=addpictures&amp;groupid=$group[groupid]">$vbphrase[add_pictures_to_this_group]</a></if>
</if>
</td>
to this:

<td class="alt1 floatcontainer" id="picturebits">
<if condition="!$group['canviewcontent']">
<div class="alt2 block_row">$vbphrase[must_join_to_view]</div>
<else />
<if condition="$picturebits">
$picturebits
<else />
$vbphrase[no_pictures_added_group_yet]
<if condition="$show['add_pictures_link']"><a href="group.php?$session[sessionurl]do=addpictures&amp;groupid=$group[groupid]">$vbphrase[add_pictures_to_this_group]</a></if>
</if>
</if>
</td>
which gives pictures the same protection as messages.

So I've solved the problem, but I haven't understood why I have this problem to start with. Since everyone isn't reporting this problem I'm presuming there is something wonky with my setup somewhere. I'll keep trying to figure it out.

I'd rather solve the underlying problem than roll with the template edit if possible because then when I upgrade it's one less template to worrying about having to revert and re-edit.

thanks
kirsty

I would report it as a bug, and if you can specific steps to re-create. Can you copy your permissions over 1:1 to a new fresh test installation and re-create the issue?

I would report it as a bug, and if you can specific steps to re-create. Can you copy your permissions over 1:1 to a new fresh test installation and re-create the issue?

Good idea; I'll have a go at that. Thanks.

Yes, I have reproduced the problem. I'll go and figure out how to submit this as a bug now.


New installation of vb 3.7.2
Change vBulletin Options -> Social Group Options -> Allow Join to View Groups to "Yes"

As User A:


Create a new social group: invite only, enable albums and messages, also check "Users must join to view the content".
From your userCP: Add an album which is set to "Private - Only visible to contacts and moderators" and upload a picture to it.
From this private album, Add pictures to the group you created earlier.

As User B:


Login and go to the social groups page. (Don't join the test group!)
Click on the number linked in the "pictures" column of the test group and you will see what ought to be a private picture uploaded by user A.

I have made a hack that should solve this, as well as hide all invite only groups from the group list page + when accessed directly via URL and you're not invited.

If you would be so kind to help test it, you can download it here: http://www.vbulletin.org/forum/showthread.php?t=184715