Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Activity is viewable by the public without login?

edited April 2011 in Vanilla 2.0 - 2.8
Hello all. I am running 2.0.17 and I just noticed today that if you go to the main page and before you login, you can click on Activity and it shows a lot of activity that should not be available to the public. For example, it shows when people change the profile picture, as well as when I change the permissions for a user, including what the permissions were changed too.

Is this the default behavior or something in my setup? (I did not install Vanilla myself, it was installed as an app by GoDaddy.)

I am sure I could secure it through the PHP but is there some setting somewhere to easily disable that? I thought of removing the link to Activity but if you were smart enough to go to the URL you'd still be able to see the information.



  • Options
    Actually since I posted this I started to look at other people's forums and their Activity links. I think you'd be shocked just how much people that don't belong to your community can actually see there.
  • Options
    I figured this out by myself. It seems to be the default setting.

    I changed it by going to Dashboard>Roles & Permissions I edited the Guest permissions and unchecked the View option under Garden for Activity and Profiles.

    I also unchecked it for Applicants, since people on my site have to wait for manual approval and an unapproved applicant is still just a guest.
Sign In or Register to comment.