Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Activity is viewable by the public without login?
Hello all. I am running 2.0.17 and I just noticed today that if you go to the main page and before you login, you can click on Activity and it shows a lot of activity that should not be available to the public. For example, it shows when people change the profile picture, as well as when I change the permissions for a user, including what the permissions were changed too.
Is this the default behavior or something in my setup? (I did not install Vanilla myself, it was installed as an app by GoDaddy.)
I am sure I could secure it through the PHP but is there some setting somewhere to easily disable that? I thought of removing the link to Activity but if you were smart enough to go to the URL you'd still be able to see the information.
Thanks!
Is this the default behavior or something in my setup? (I did not install Vanilla myself, it was installed as an app by GoDaddy.)
I am sure I could secure it through the PHP but is there some setting somewhere to easily disable that? I thought of removing the link to Activity but if you were smart enough to go to the URL you'd still be able to see the information.
Thanks!
Tagged:
0
Comments
I changed it by going to Dashboard>Roles & Permissions I edited the Guest permissions and unchecked the View option under Garden for Activity and Profiles.
I also unchecked it for Applicants, since people on my site have to wait for manual approval and an unapproved applicant is still just a guest.