Cannot select group badge for groups that are hidden... other questions about gated categories and group based security holes
-
In my forum at forums.j-novel.club, I have 2 special groups for subscribers and premium subscribers of my service.
The membership of these groups is entirely controlled by the write-api plugin from my backend service, and I don't want the list of who is in each group to be public...
So currently the settings for these groups are:
Show Badge: Checked
Private: Unchecked (because I need them added immediately by the write API)
Disable Join Requests: Checked
Hidden: CheckedBut with these settings, the group doesn't appear in my user profile settings to select the badge. It does however if I uncheck "Hidden". However in that case people can go to the Group page and see everyone else in that group which is not a behavior I would like to be able to have.
Could I like, disable the group pages completely, so that even going to /groups directly doesn't work?
Second, if I am not a Premium Member, but I go to the profile page of someone who is a Premium Member, I can see a timeline of all their posts, including the ones they made to Premium Only categories... This is a security hole and people could use this to read content that should be gated off. Could I disable the "Posts made by" list?
-
@samuelp does registered-users group have access to the premium only categories?
-
@pichalite The permissions are set where registered users have "Find Category" and "Access Category" set, but nothing else like "Access Topic", etc.
I want non-premium members to be able to see the categories and even the topic listings, just not any of the actual topic posts or replies.
Right now also in addition to the loopholes above, the "most recent posts" reveals some of the posts (but not enough to bother me much)...I suppose a lot of this could be fixed by programming a custom template....
