I have the latest version of Private Messages (1.1) and it works beautifully. The only thing that I would like to see is some sort of notification when you recieve a Private Message. Just something so that you don't have to check your inbox constantly (or for members who don't know that they should be checking their inbox). Other than that, it works quite nicely. I have never been a fan of the whisper system...
The left panel does let you know when you have an unread message, though...changes to Inbox (1 unread message) or something along those lines.
I agree that it could help to be a bit more noticeable however. Even just simply bolding the font when an unread message is in there would be helpful.
According to the latest documentation, Private Messages is supposed to function as such...with a count of unread messages appended to the "Inbox" label in the top tab when a user has unread messages. This isn't happening for you? You are using 1.1, correct?
I can't recall if my PM add on is doing this... I'll double check and follow up.
We have a few user on our forum that are getting email notifications when they send a PM..... Did ant one ever figure out the cause for this or a fix for it?
I'm running Private messages v2, the one that has been forked from the official extension to include a better UI and a 'delete' function. Some of my users are starting to get smart about the inherent flaw in this extension-- the messages aren't really private, they are just hidden (i.e. if you luck in on a discussion ID and comment ID combo, you can read another two users private messages).
Is there a way to make this message system truly private, or to obscure the addressing system so its not so easy to crack? I'm guessing friendly URLs might be a solution, but that extension seems to cause conflict with other extensions.
WOW this is a hell of a security flaw.... all users can, by changing the discussion ID, start at 1 and work your way up and read EVERY PM and post including the our "admin" category, even deleted posts.
How do we fix this!
They will be denied access to the message/admin post/etc at the time of loading (it checks the permissions, I promise). All they will be able to tell is that there is a message with ID "X" that they don't have access to. (could be just about anything)
EDIT: Guess not with the PM's, but with a fresh install of vanilla, this is not a flaw; if it is in fact the case, then it is a problem in the extension's code, not the core.
fsicsluvr, you are wrong on the access being denied to the admin post's... they are totally viewable.
From what I have seen, "Private Messages" is the only PM system for vanilla. Or is there another?
Yes, I just checked it with my normal user account and the problem occured again (this problem was also pointed to me by my regular users).
At least it doesn't happen for guest/unauthenticated users.
EDIT: It gets more interesting... A thread that was deleted by accident (and I have been unable to undelete as much as I try through the front end) appears to be accessible only via the private message extension. Users have started to post in this hidden thread which mod and admins can't see unless they know the address... Example: /forums/comments.php?DiscussionID=62&page=1 doesn't load (gives errors dealing with ajaxquote and category roles which I'm going to have to look into) and forums/extension.php?PostBackAction=PrivateMessages&DiscussionID=62 doesn't load the deleted thread BUT forums/extension.php?PostBackAction=PrivateMessages&DiscussionID=62&View=Message loads the deleted thread. This makes me think its something to do with the &View=Message bit. Actually it looks like you can load any DicussionID through this method on our server.
Also appears that this is the critical bit to let you view others private messages as well.
Not to detract too much from this security issue (agreed it is big, just that my forum is so tiny and personal it's not an issue)...
Do you guys also not have any "edit, delete or quote (ajax quote)" options in each pm's comment list as they appear in a normal discussion? I have a number of extensions that refuse to carry over to the PM extension, which I can learn to live with, but I'm surrised these basic controls are stripped from the comment lists... Ideas?
Comments
Seems this portion of the default.php code is what is trying to make this happen:
if (isset($Menu)) { $PrivateMessages = $Context->ObjectFactory->NewContextObject($Context, 'PrivateMessages'); $TotalMessages = $PrivateMessages->GetDiscussionCount("Inbox"); $ReadMessages = $PrivateMessages->GetReadMessagesCount(); $UnreadMessages = $PrivateMessages->GetUnreadMessagesCount(); $NewMessages = ($TotalMessages - $ReadMessages) + $UnreadMessages; $TabName = $Context->GetDefinition('PrivateMessagesTab'); $Inbox = $Context->GetDefinition('Inbox'); if ($NewMessages > '0') { $TabName .= ' ('.$NewMessages.')'; $Inbox .= ' ('.$NewMessages.' '.$Context->Dictionary['NewMessage'].')'; } $Menu->AddTab($TabName, 'privatemessages', GetUrl($Configuration, 'extension.php', '', '', '', '', 'PostBackAction=PrivateMessages'), '', $Configuration['TAB_POSITION_PRIVATE_MESSAGES']); $Title = $Context->GetDefinition('PrivateMessages'); $Panel->AddList($Title, 100); $Panel->AddListItem($Title, $Inbox, GetUrl($Configuration, 'extension.php', '', '', '', '', 'PostBackAction=PrivateMessages')); $Panel->AddListItem($Title, $Context->GetDefinition('SentMail'), GetUrl($Configuration, 'extension.php', '', '', '', '', 'PostBackAction=PrivateMessages&View=SentMail')); $Panel->AddListItem($Title, $Context->GetDefinition('SendPrivateMessage'), GetUrl($Configuration, 'extension.php', '', '', '', '', 'PostBackAction=PrivateMessages&View=SendMessage'));
Everything in check here? Any reason this wouldn't be working?
Is there a way to make this message system truly private, or to obscure the addressing system so its not so easy to crack? I'm guessing friendly URLs might be a solution, but that extension seems to cause conflict with other extensions.
EDIT: Guess not with the PM's, but with a fresh install of vanilla, this is not a flaw; if it is in fact the case, then it is a problem in the extension's code, not the core.
Any idea of what extensions could be causing the conflict?
At least it doesn't happen for guest/unauthenticated users.
EDIT: It gets more interesting... A thread that was deleted by accident (and I have been unable to undelete as much as I try through the front end) appears to be accessible only via the private message extension. Users have started to post in this hidden thread which mod and admins can't see unless they know the address...
Example:
/forums/comments.php?DiscussionID=62&page=1 doesn't load (gives errors dealing with ajaxquote and category roles which I'm going to have to look into)
and
forums/extension.php?PostBackAction=PrivateMessages&DiscussionID=62 doesn't load the deleted thread
BUT
forums/extension.php?PostBackAction=PrivateMessages&DiscussionID=62&View=Message loads the deleted thread. This makes me think its something to do with the &View=Message bit. Actually it looks like you can load any DicussionID through this method on our server.
Also appears that this is the critical bit to let you view others private messages as well.