HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
User-specific Activity (wall)
When enabling this plugin I notice that the visible information is not filtered to the signed-in user. Nor have I found a Vanilla "privacy" option that can limit what activity is visible to other users. With the lack of an official "Friend" system (the few Friends plugins are not comprehensive enough) tied into privacy options, the current unfiltered Activity feature is way too open -- more like showing the entire system log to all users...
Until the Activity feature is enhanced, this plugin could help if it had an option to filter the visible information to activities that directly relates to the specific signed-in user.
Tagged:
0
Comments
You can modify this plugin to set the role to the currently logged in user. Modify the
default.php
line 23 to$RecentActivityModule->GetData(10, Gdn::Session()->User->RoleID);
. Not sure if that does what you are looking for, but it is a start.Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
Thanks @hgtonight. Tried that and it doesn't filter on the signed-in user. I don't actually know how the magic works but looking at the syntax I suspect that you filter by the role rather than the userid so it may also show other users with the same role.
What I was looking for is that the filter would be by the signed-in user so each user could only see his own activity - his own wall.
The activity model actually handles notifications and public activity. Public activity can pertain to a specific user, but is still public. You can filter the full activity wall (e.g. http://vanillaforums.org/activity) down to a specific user ala the profile activity page (e.g. http://vanillaforums.org/profile/activity/38268/hgtonight).
Is the profile activity what you want to see?
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
The activity is a global activity. There is no way to filter who sees it from who. That would be great but the would imply that a user would have his or her own profile page and the content would belong to that page alone.
This is not the case with activity. What you post on your page is also seen in the global activity page.
The best thing would be to be able to make your profile and content private. But it was not set up that way.
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
Yes, but not for another user, just for the signed in user. When I look at the URL you specified I recognize your id but don't know what the number 38268 means. Regardless, I was hoping that the plugin would filter on that.
But I now realize that even if the plugin filtered on the signed-on userid, he can still go to his profile's Activity tab and see everyone's activity. That's a problem.
I tried to uncheck the permission to view activity in the " Roles & Permissions", but that has two problems:
So it seems that even if the plugin were to filter on the userid, the profile Activity Tab will reveal everything. Thus, the solution seems to be that the scope of what is visible to users under Activity should be set outside the plugin, as a permission under Roles & Permission (something like "See other users Activity") and then this plugin as well as the Profile Activity tab would honor that permission.
Seems that right now I have hit a wall (pun intended).
I am less concerned about the privacy of what users explicitly post on their profile. I am concerned about the privacy of the entries reflecting their activity in different Categories because in our forum not all users have permission to all categories, so finding what a user A did in a category that is hidden from user B is a problem.
I understand Anyone without permission to view specific category should not be able to view any activity or anything related to the category.
An option to be able to mark something private that only those with permission to view would be allowed to view or get redirected if they try to view. Or simply hide the content altogether.
That would be a nice plugin
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
Am I to understand that despite the fact that every activity is shown with a picture and userid, the activities themselves are not related to a specific user and thus cannot be filtered? Hard to believe.
As for marking an activity as private -- I fear that this "after the fact" marking leaves room to forgetting or worse - to have it revealed in the window between the activity and the marking. I'd rather leverage the existing permission settings to implement basic profile privacy options set by the admin (and if he allows it, also set by each user):
If I understand Vanilla correctly, a plugin can alter the way Vanilla works by augmenting or substituting existing built-in functions. Thus I hope the above scheme could be implemented in this way so that both the Activity options within the Profile as well as the "Recent Activity" plugin would honor these permissions.
So while this scheme does not control what is included in the user's activity, it does control who sees it.
Last but not least: Note #3 and #4 above -- I can envision future features that somewhat "tie" users together (like "Like", "Follow", etc.) - it would be nice if the function would be extensible so that whomever comes up with a new plugin/feature could add a permission setting to "show my activity to X" (where X is a feature of a plugin like Share, Like, Follow, etc.)
Well you could do it by using arguments, if user marked his profile private return null redirect .
That would be the simplest thing. Adding an option to each profile to mark it private. and if it is marked private, automatically redirects user elsewhere.
If you wanted to be even more specific and filter specific people, then you need to use a roles system. Or some other argument. Possibly another option for users to block specific people form contacting the user.
Option block me, if user b has been blocked from user a , redirect.
I am sure it is more complicated than what I am presenting. But that is the logic behind it from what I can understand of how vanilla works.
You need to hook into existing functions not bypass them. The functions are pretty flexible .
It needs to be as simple as possible. a blocks b , b get redirected or gets a no discussions found thing.
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
Earlier I noted what I saw as a privacy exposure that the Activity tab shows activities of every user. Interesting enough, even if the Roles & Permission does not allow viewing of profiles, the activity tab will show every activity. I understand the profile viewing is distinct from activity viewing, but just wanted to mention this curiosity.
to @vrijvlinder: I am not a programmer, so what I wrote was more from the point of view of an administrator, not from a programming point of view (which I wouldn't know much about). I'd have to defer to better minds as to the how, I merely reflect on the what...
You could filter by user id, but it couldn't be done in pure SQL since that field is serialized IIRC. So you would have to remove items after the query which is only an issue when it comes to consistent page size.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
I assume you respond to my feedback on "Modify the default.php line 23 to $RecentActivityModule->GetData(10, Gdn::Session()->User->RoleID);. ". If this forum had nested responses it would have been clear to me to what exactly you respond to (but that's another subject altogether).
Why is it not possible to have another preceding statement that saved the current signed on userid in a variable (e.g. CurrentUserID and then filter the results in something like " $RecentActivityModule->GetData(10, Gdn::Session()->User->CurrentUserID);. "
I am of course just guessing, not being a programmer and not understanding at all how this statement works or what the "->" actually do... I'd have tried it rather than posting it on the forum (with the risk of having everyone laugh at my attempt), but I don't actually know how to put the current userid into CurrentUserID...
Also, if I had not made it clear -- I don't really want to limit what Vanilla records in the database, just limit what it shows the user (hopefully limit it through permissions).
Are you working in 2.0 or 2.1? Some of my concerns only pertain to 2.1.
You can do anything you want in terms of filtering. You have to create your own module (or override an existing one) to make these changes. You can get recent activity on a per user basis via the get method:
This will only return activity records where the ActivityUserID field is equal to the current user.
In standard Model-View-Controller (MVC) architecture, the controller does all the permission checking. So you modify your model calls in the wanted controller to enforce permissions. The model can be extended to make your life easier, of course.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
Thanks! I'm running Version 2.0.18.8. Not sure how to combine the above into the plugin that hows recent activity and furthermore how will it affect the Activity in the user tab (I hope it does).
why worry about other things when your forum is insecure because it is out of date.
it is baffling to see people ask questions about plugins and themes when they are putting their forum users at risk by making an insecure forum.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Hi @peregrine. Our forum is not live yet. We're researching the use of Vanilla. Open to recommendation as to which version to ask the host provider to install.
2.0.18.10 is the latest stable version.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
since there are hundreds of conversations as to which is best - I won't bother regurgitating it.
the best is the one which has security flaws fixed. 2.0.18.10 or (2.1b2 with security fixes applied.)
the answers can be found in this link and the associated discussions dealing with version releases - which should be read.
http://vanillaforums.org/addon/vanilla-core
http://vanillaforums.org/discussion/25668/dec-2013-security-update-2-0-18-10-and-2-1b2
http://vanillaforums.org/discussion/26378/onward-to-2-1b3#latest
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Thanks, I will ask my host to upgrade to 2.0.18.10.