Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

basic alternative PM extension (due to security flaw with original PM extension)

edited August 2008 in Vanilla 1.0 Help
the original PM extension was written after my request for a way for users to contact each other without whispering, and it has served my forum very well, but a security flaw has been exposed whereby any user can view any PM. this extension has been bodged with hacks for a while and it seems it is no longer supported.

i was wondering if anyone could knock something together to replace the PM extension. (my users have tried whispers - they don't like them).

here is my idea; a link next to each comment (where the 'quote', 'edit', 'delete' text appears), linking to a pop-up email form. this would allow users to fire off a quick email without the complexity of a PM system, and without revealing anyone's email address. this could be made visible only for logged in users, although there may still have to be some basic bot protection (PLEASE not captcha!!).

this would also save the users having to rely on the notify extension (which only notifies on replies - not when new messages are posted), and eliminates the annoyance of yet another mailbox to check.


  • basic alternative PM extension = whispers

    whispers definitely have a bit of a learning curve, and your users won't like it, but once they figure them out, they'll love 'em. i guarantee it. that's why it's included in the core of vanilla.
  • One alternative would be a simulated 'inbox' interface to view whispers.

    But I really like that email idea.
  • edited June 2008
    "whispers definitely have a bit of a learning curve, and your users won't like it, but once they figure them out, they'll love 'em. i guarantee it. that's why it's included in the core of vanilla." sorry, we have tried them, and it didn't work. it's patronising to say people just need to get used to them. i enabled them once, and this caused lots of confusion- and lots of time wasted trying to explain how they work. my forum is for listing gigs and events and communicating about line-up changes - information that people need in one place, and fast. discussions are not always centralised, and people sometimes just need to be alerted to someone's contact details or something. this is another reason why whispers are not suitable - the info is too buried. my attitude is that i run the site for the users to get the most out of it in an intuitive way, without a vast amount of time wasted on 'learning' things - hence why i think an email link is a better idea.
  • okay, I see your point, and in that situation, whispers aren't the best form of one-to-one communication. what i would do is post a sticky thread notifying your users that the messaging system has been disabled temporarily due to a security issue (if you haven't done so already), and explain what is being done to replace it until it is patched, or indefinitely. the email idea is a winner!
  • hm, i wish i had the skills to be able to write this myself, it's sorely needed! how about a link in the user profile that, when clicked, sends the email address for that user to your own email account? crude, but it'd do for now...
  • each user has the choice to display their email address on their account page. if you use PrivateAccounts, then only registered users can see the user account pages.
  • Love this idea, would be great for it to include a link to the thread (or even the comment) where the "email" link was clicked as that then gives it a context.
  • edited June 2008
    i just had a look at writing extensions but quickly realised that there is no way i could do this without a lot of time and a lot of headaches! guess i will wait patiently in case someone would like to pick it up. i would probably be able to rustle up a small donation for the person who could make it. (no promises tho!) a third alternative to this idea could be a contact form on the user profile page. however, this may interfere with other extensions that use the limited space on the right-hand panel of the account page.
  • desperate bump!!
  • edited July 2008
    i have had another go but still can't get this right. waiting for someone to take pity on us!
  • This email user link idea would be ideal for my needs and would stop the incessant request for PM functionality - *hopes and waits patiently*
  • I've already done the email link for a friend and could expand it to add a field for a message.
  • I checked my EmailThis add-on which I never distributed. It would add a link to each comment next to the "edit, block user, etc" links. When you click on it, you are prompted to enter an email address, and then your mail client opens with the comment link in the body of the message and the email address filled in with a standard subject line. You could then enter your message and click send.

    I also looked at the ReportPost add-on. It just sends an email automatically to whoever you have indicated as the support email address with the link of the comment. You don't get a chance to enter a message. This could be modified to prompt the user to enter a message (although I don't know how hard or easy that would be - might be worthwhile sending a message to that add-on's author).

    Which sounds better for a user?
  • edited July 2008
    i'm assuming that, in the first example, you would pull the email address from the database? either way, i think the second one sounds better. less hassle for the user, and more integrated into the forum. possibly neater in appearance. most importantly, the first idea would not work if the user was on a public PC without a mail client installed, or might be impractical for some other reason (e.g. operating system has not been set up to handle 'mailto' links in the correct way... maybe you're on a friend's PC and you don't want to email someone through their mail application for privacy reasons... etc).
  • any news? pretty please?
  • I have been out of it for a while. Sorry. I looked at the ReportThis extension and it can be modified. However, what about the shout box. Would that work?
  • a shout box? i think it would need to be a private system to be honest, or a way of providing email addresses without displaying them in the forum for all to see.
This discussion has been closed.