When a private group is visited by a non-member user, the user will not see the status form to add new statuses to the group (as expected, since the group is private), but howeveruser will see the statuses previously shared in that group, and so breaking the privacy of the group.

I wonder if I'm missing somthing here.

Comments

IceCreamYou’s picture

IceCreamYou CreditAttribution: IceCreamYou commented
Status: Active » Postponed (maintainer needs more info)

Well there's an easy work-around, which is to not show the status update block on group nodes for users who aren't in the group. But this shouldn't be happening anyway. There is an access check on line 91 of includes/utility/statuses.form.inc which ultimately calls access_stream() on line 283 of statuses.contexts.inc. It's not immediately obvious to me what the problem could be and I don't have time right now to test. Can you debug a little and see what might be going on?

IceCreamYou’s picture

IceCreamYou CreditAttribution: IceCreamYou commented

Any update here?

IceCreamYou’s picture

IceCreamYou CreditAttribution: IceCreamYou commented
Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)