Improve user profile permissions on activity [#1338386]

I have Heartbeat install in combination with User Relationship and notice a security issue with permission of activity in the stream. I tried all combination and the permssion "Only my friend" does not seems to be working. It do like the "Everyone". The post in the stream are available to everyone....

Comments

Comment #1

Stalski CreditAttribution: Stalski commented 4 December 2011 at 17:36

Can you explain this any further? I tried to set up this again and it seems to work just fine.

Set-up:
- MessageTemplate A with restrictions on "only user and relations can see the message"
- User A is friend with User B, User C is not
- Everybody posts a tweet (the message template I mentioned above)
- As userA , I can't see the activity for that template of user C and vise versa.

Comment #2

sw3b CreditAttribution: sw3b commented 5 December 2011 at 07:16

The permission is set by the user itself in his profile settings. I give the permssion to the user to set there own permission. If i go in the template it work but with the permission of the user it does not. The concept is everybody can see and the user are responsible to set there own access. Does it make sense ?!?

Comment #3

Stalski CreditAttribution: Stalski commented 5 December 2011 at 08:42

Ah ok. I planned an other session on this issue tonight and was going to play with the user permission.
Thx for this feedback.
What you said before makes sense. The only thing we need to keep in mind is that the permission on the user profile will be lower or equal then the ones allowed in the templates.

Comment #4

Stalski CreditAttribution: Stalski commented 8 December 2011 at 07:57

Status:

Active

» Needs review

This was rather difficult to fix in the query (which did not work).
Now the LEAST permission of "user_profile_access" and "message_access" is kept to calculate the messages.

Can you reply your feedback on the new permission handling? (code is pushed to git)

Comment #5

sw3b CreditAttribution: sw3b commented 8 December 2011 at 13:31

Status:

Needs review

» Needs work

I test on my side and the "Only my friends" setting did not work. To see if it work I did this.

User A is the user who post activity
User B is a friend of User A

User B go to User A activity stream in his profile and he can see all the stream. -> OK (Seeting to everybody)
User A change the settings of this friend to "Only me" and User B cannot see the activity in the stream. -> OK
User A set it to "Only my friend" and now User B see the activity. -> OK
User A remove the User B form his friend, and User B still can see my activity. -> Not OK (The settings are to "Friends Only" not "Everybody")

I'm using User Relationship for friend module.

For what I can tell, it does not any difference to set to Everybody of Only my friends. Any user can see the activity. The seetings is change in the user profile.

Not only this but I tried to change setting in template directly instead of the profile and it does not seems to be working either.

@Stalski Want a try on my website ?

Comment #6

Stalski CreditAttribution: Stalski commented 9 December 2011 at 00:09

Status:

Needs work

» Needs review

This error should be fixed as well now. The calculated "friends" include the current user. The current user for the stream was set to the viewed person while it's the viewer and his friends which need be be taken in consideration.

Happy testing.

Comment #7

sw3b CreditAttribution: sw3b commented 15 December 2011 at 18:00

Status:

Needs review

» Needs work

Hi, thanks to have work on this, i think it make it a better module with this feature working.

I test on my side and the permissions seems to be working correctly! The only thing who does not show all past activity is when you switch the settings from/to everyone to anything else.... only the new post will be affect by the new settings. This is now a big problem but I would be nice if it work has other permission. When permission is change it apply on all post.

I also notive in the user profile settings this error message when user save settings. The first time you save it does not make an error. But after the second save it make the error...weird.

Notice : Object of class stdClass could not be converted to int dans HeartbeatActivity->setAccess() (ligne 180 dans /home/website/www/www/sites/all/modules/heartbeat/includes/heartbeatactivity.inc).

So far it is the best release for the permission...the only thing I would suggest is to correct the error when save settings.

Could you explain this settings I do not understand it "Only the user himself and the addressee are allowed to see this message". What mean addressee ?!? And the 4 check box in the section Privacy settings are for what ?!?

Comment #8

Stalski CreditAttribution: Stalski commented 23 December 2011 at 21:31

I test on my side and the permissions seems to be working correctly! The only thing who does not show all past activity is when you switch the settings from/to everyone to anything else.... only the new post will be affect by the new settings. This is now a big problem but I would be nice if it work has other permission. When permission is change it apply on all post.

Well, I've been struggling a lot with the default configuration of this one. I think what you say is "sometimes" true but mostly not.
E.g. If I tweet some day "X" , and the day after I change the setting to only visible to private, then the message before was public, wasn't it. On the other hand, I can imagine suddenly people change the privacy of their message template A because they realize that those messages should not be public.
I'll dive it that permission check system again and maybe restrict the privacy when it becomes lower.

I don't get the notice you are talking about. I do know this only could happen when the rule is triggered for saving an account.
I think it's not possible to have your database dump? I am searching for real life use cases and I can't reproduce all the behaviors in cooperation with all the modules that work together with heartbeat.

- Addressee is maybe a bad word for it, but it only means that sometimes activity is addressed to someone. E.g. the user you are getting friend or fan with, commenting on a node and notifying the author of that node, posting a tweet to someone, ...
- The 4 check box you said, I don't really understand since there are only radio's and selectboxes. If you mean the radio's then the description of that fields tells you: "This setting will apply to status updates to the profile when no access restriction is known (E.g. activity being logged from external sources)." Facebook does also provide such a setting and is needed when other external activity is logged. It's important that you can configure that to your own requirements.

Comment #9

sw3b CreditAttribution: sw3b commented 31 December 2011 at 06:29

I check for the error and it was the rule when user update their profile. So by disabling this rules it solve my problem. I do not need this rule anyway. If you still want the database just send me a private message with email adresse i can put the whole installation into a zip to download... i don't care the site is not in production yet. It on the dev section for now.

Thanks to clearified the permission term.... i was a bit lost with the term.... english is not my first language so... it help.

For the permission, could it be possible, has a suggestion, to add an option in the user profile to rebuild permission on their post. A bit like Facebook with old publication. User click on a button and it rebuild the permission on old stuff with the current settings. Maybe it could be much easy that way, and user who want to block old stuff have the choice to do it or not.