MAJOR Privacy BUG!

Hello All,

One of my site members & me just discovered a MAJOR privacy bug. 2 things needs to be fixed ASAP, like yesterday!

1. If a profile goes into EDIT, he can chose who can view his entire profile. Some members chose Friends only, or "Me only" if they are just on the site to look. IF this happens, OBVIOUSLY it should block letters, IM's etc automaticly from everyone (besides friends if thats their preference), however it does NOT. You can't enter the profile, that is correct, BUT if you find the profile under member list, and hold your mice on the picture, the menu pops up and you can do EVERYTHING from there.

2. I also tried to press the "Golden Key" in the Actions menu, and chose "Me Only" (after i changed entire profile under edit to me only), and STILL the user was able to BOTH IM and send Letters.

PLEASE fix this MAJOR PRIVACY bug asap!

Ticket added: http://www.boonex.com/trac/dolphin/ticket/1973

Uhm, seems like the ticket was closed based on what??

WHO closed it? This is really stupid. Why do you need profile privacy on who can contact if if it wont work anyway? And whats the point in hiding your profile if anyone can contact you anyway?

Furthermore, it was stated "One must block if you dont want the person to contact you"??? How can you state this? What about the people that say friends only? Are they supposed to block ALL other members 1 by one, to make sure they dont get spammed? lol....

AlexT: Profile privacy affect view profile only. If you want to restrict for someone to contact you, the you need to block this profile - it will affect most of the functionality then.

It is ridiculous that this ticket was closed.

There is no way to protect members if the privacy functions only affect certain areas, while leaving others wide open to anyone.

I seriously doubt there is anyone on Unity who would agree with the decision on this one.

Are you really suggesting that each user block any user they don't want manually? Do you really think anyone will do that? What about sites with hundreds or thousands of members? Blocking each profile manually could take a year and then it would only block "most of the functionality"?

Give me a break. Just more broken promises.

If users decide to make their action block  "friends only" by using the yellow key, anyone from outside can still see/use thier action block by using the popup action block (im, letter, greeting etc etc) from anywhere in dolphin website. eh.. it's public to me.

Okay.. so I started thinking.. if Boonex fixed this by removing the popup action block or whatever, how in the world could they block them if there was no action block at all?  Bad people would love to set theirs to "me only" and screw people over without being blocked.  Hmm… not good. 

If they set their profile to "friends only", how could REAL friends befriend them? There is no action block in their profile. no contact.. nothing except the default message saying "Access denied".  From what i see, about 90% of my users don't know about the popup action block so they get frustrated easily.  :-/

This whole privacy concept is a mess.  This seriously need to be fixed. I mean, this is a serious issue.

Agree 100%

04/21/10 04:55:32 changed by AlexT ¶

• status changed from new to closed.
• resolution set to worksforme.

??

Bump... Can we please get this ticket re-opened and get a fix??

It's not a bug. It's the way it works. Certain modules may have their own privacy settings, and profile is only one of the modules, a far as privacy is concerned. Suggestions on how to improve it, specifically, are very welcome.

Ok, I suggest that there be a way to block everyone but friends for all modules. Also to have anyone with absolute privacy settings be able to remove their posts and other content from showing up publicly - such as in a site wall.

This is a pain, I understand - but - I have had people who were being stalked - literally. They need complete privacy from anyone they don't trust.

Ergonomics, Andrew, ergonomics... (http://en.wikipedia.org/wiki/Ergonomics - http://en.wikipedia.org/wiki/Human-Computer_Interaction)

IMHO this is the main problem with Dolphin (the second one beeing browsers (IE7) compatibility).

"It's the way it works"... Dolphin has to work the way that most users will think it is working (often the way that most other sites are working). Maybe it will be less problems if each block could contain some explanation to tell the world how to use the feature (as already told and asked).

Dolphin is a nice product, very exciting at first sight. "A software with a great potential" -  sounds good... but "A great software" will sound so much better

Just out of curiosity, If you all want to block all contact by non-friends, how do you expect someone to become a friend in the first place?

To improve privacy, there are a few small changes needed.

1) The default privacy setting should be "Me only"

2) The "Edit Profile Privacy" setting is confusing, it should be part of the "Privacy Settings"

3) The Keys in the profile is good and gives flexibility, however make this option available for all modules or none (photos/videos/sounds/etc.)

4) "Reset button" to reverse privacy settings to "Me only" for all modules in 1 action.

5) For each module, the highest privacy setting should dictate who can see the info (for example; if my photo privacy setting is "private", albums that are "public/friends/etc" should not be shown. If my photo privacy settings is "friends" all albums that have a minimum security setting of friends should be shown).

Regarding posts, if you post in a public forum, be aware it is PUBLIC. Not showing these posts to the public would effect the thread in a negative way. However, I do agree that you should be free to select what information is shown on your wall about you.

RE:

Wrong.  The 'Me Only' setting needs to go away.  It's very poorly implemented, and should never have been applied to the entire profile.  It renders the profile completely invisible.  Just imagine a site with thousands of members, with every profile set to 'me only' .... you'd have one incredibly useless site.  The setting 'Me Only' should only be applied to very specific owner content.

HL is right again  Of course default privacy settings have to be "Public".

It needs to be a way to send a friend request to profiles with Privacy level set to Friends only! That was already said many times. I think that a ticket was opened but I am too sleepy to search for it just now

As a site owner I agree with you HL, however privacy is there for your members. Members should have full controll about what information is public, and what isn't. By settings the default to public, your members will "leak" more information than they want to and this undermines the effectiveness of the privacy option and with it the trust in your site.

Just as with emails, there will be a moment that sharing information is done on a "opt-in" bases and this is an oportunity to set the standard.

Setting the default to "Me only" does not mean that all information should be hidden, for every profile the name and description should be shown, together with the option to Contact/Befriend. If you want your complete profile to be unavailable you should either delete it or set it to inactive.

RE:

Glad you agree with me.  Like I said, the 'Me Only' option is poorly implemented.  As it is now, this option just creates a useless database record.

On my old site, the page that blocked people from viewing another members content contained a button that allowed them to send the person a friend request, but nothing more. They couldn't view anything, or contact them any other way unless that request was accepted.

It actually worked very well, but only when the person's blog posts (for instance), indicated that they had strict privacy. Before that, people would get pissed because they would click to view a post and be blocked.

If it is indicated that the post is by a person with privacy enforced, people with either not click the content at all, or click it - expecting to do a friend request for access. Then the profile owner can accept or deny the request and everyone is theoretically happy.

It sounds a lot more complicated than it is, but really did work well once I had it all tweaked. People really liked it.

I did eventually separate the blog posts with 3 tabs. "Public", "Private", and "View All". That was because the site was very focused on blogging and all recent blog posts essentially made up the front page.

That is what I eventually hope to do with D7 too - but time will tell if it will be possible. Especially with my limited ability.

(I was using phpIzabi back then & it was much easier to work with, but a major hacker magnet).

Unless anyone has any further input, I hope Boonex can have a look at the suggestions and come up with workable solution for 7.0.2. The beginning of June is near and there still is a lot of work to do, to get this implemented.

To summarize what was said (and 2 extra points)

1. The default privacy setting should be "Me only"
   •  for every profile as a minimum, the name and description should be shown, together with the option to Contact/Befriend
2. The "Edit Profile Privacy" setting is confusing, it should be part of the "Privacy Settings"
   • Privacy settings should all be possible from 1 location, this makes it less confusing for users.
3. "Reset button" to reverse privacy settings to "Me only" for all modules in 1 action.
   • When people are confused about their privacy settings, it should be simple to reset everything to the default of "Me Only"
4. For each module, the highest privacy setting should dictate who can see the info
   • for example; if my photo privacy setting is "private", albums that are "public/friends/etc" should not be shown. If my photo privacy settings is "friends" all albums that have a minimum security setting of friends should be shown).
5. The Keys in the profile is good and gives flexibility, however make this option available for all modules or none (photos/videos/sounds/etc.)
6.  If you want your complete profile to be unavailable you should either delete it or set it to inactive
7. Option to select multiple security groups
   • for example; some information might be shared with friends and familly, but for example not work colleagues. Rather than creating a new group containing friends and familly, have to option to select multiple groups.
8. By conflicting security settings a notice should be shown (+ link to correct it)

I noticed that the DB contains a table called `sys_privacy_actions` with in it the default privacy settings for every option. Maybe something for the next release of deanos tools, to give site owners a choice of what the default on their site is?

I really can't figure out how these work.

On my site I enabled 'default' - 'me only' - 'public' - 'friends' - 'contacts'

I created 2 test profiles and put photos in an album.

I set privacy for photos to 'me only' but still everyone can see them.

I set privacy for photos to 'friends' but still a non-friend can see them.

As a matter of fact, those privacy settings are useless.

True, "Me Only" should not apply to Profile. Also when a member has "Me Only", not even the Admin can view his/her profile.

know what I would really really like to be able to do?

set the system so each "ACTION" can be turned on-off for various member types.

example: I have a paid membership system

Level-1, level-2, level-3

and the "standard" membership, which is FREE.

I would like to be able to set "standard" membership to NO FREIND REQUESTS, or any other action, so the button does not show up...

that way only PAID members can actually have freinds, FREE members just get to watch all the fun...

That can be done easily.  You should check out Deano's mod.

http://www.boonex.com/unity/extensions/entry/Enhanced_Page_Block_Visibility

You can use this for action block. I haven't bought it yet but I will when i need it.  :D

Download Deanon Tool Box

http://www.boonex.com/unity/extensions/entry/Deanos_Tools_V1_6_Dolphin_7_0_Version

Then create a PHP block insertion using

and add in the PHP block the following code.

Now only people with membership ID 2 can see the text (in my configuration, Membership ID 2 means that the user is not a full member yet, and has to wait before he/she can post blogs etc.

$aProfileInfo = getProfileInfo($this -> oProfileGen -> _iProfileID);
$sIcon = get_member_thumbnail($aProfileInfo['ID'], 'none');
$sNick = $aProfileInfo['NickName'];
$sFLName = $aProfileInfo['FirstName'] . " " . $aProfileInfo['LastName'];

$sFLName = $aProfileInfo['FirstName'] . " " . $aProfileInfo['LastName'];

$sMemberShipInfo = getMemberMembershipInfo($aProfileInfo['ID']);

$number_three = 3;

if ( $sMemberShipInfo['ID'] == 2 ) {

echo '<div id="articles3" class="arl-entry">
<h5>At this moment you have limited access to  <br /> We will review your application as soon as possible.<br />

For this moment you are allowed to view profiles, read most of the materials, watch videos and post comments.

</h5>

</div>';

}

Is there away of removing the golden key altogether from profile view / editing?

 The "key" only shows for the account holder, "member".. It is used to set all privacy settings for each block on the member profile page.

 Yes there is, i managed to do it a few days ago:

http://www.boonex.com/forums/topic/preventing-users-from-removing-actions-block.htm