Logged out users can access profiles via URL

Hi @chrisrohrer

Trying to make sure I’m covering each part outlined above, and working to confirm if I’m seeing that or not.

I have my local set up to be a private network at the moment. Username tw2113. When I visit https://buddypress.test/members/tw2113/ while logged out, I’m being redirected to the homepage, which is our default behavior.

That said, when logged in, I am able to access a profile incorrectly, in terms of intended functionality here.

Looks like this line below is a little too permissive, specifically in the bp_is_user_profile() spot. Likely checking if a profile at all.

if ( bp_is_my_profile() || bp_is_user_profile() || bp_is_user_profile_edit() || 'register' === $bp->current_component || 'activate' === $bp->current_component ) { ...}

SLIGHT edge case becausea given person would need to know a username first, and if it’s all a private network, they should not be able to find any user names. That said, I’m not dismissing this and will be filing an issue to get this looked into and resolved.

Feel free to chime in with any extra thoughts or ideas, I’m definitely open to some more feedback.

Thanks for the quick reply, @tw2113

I’m not sure why this issue presents differently for you. I tried to be careful and use a standard theme, no unnecessary plugins and clear my cache when testing. Tried again just now and it still shows up for logged in and logged out users at my end.

However, I believe you have identified the right piece of code, as it doesn’t seem to be able to fully distinguish between the user’s own profile and that of another.

It is an edge case. However, if the profiles were ever crawled, or linked somewhere else, before changing the network to private, this could be a real privacy issue.

As I am updating a page that’s been setup before I joined the project, this might very well be the case. So, thank you for looking into it!

Theme/other plugins/etc shouldn’t be a factor at all in this. We are mostly checking for BuddyPress components which would be theme agnostic.

You can see the whole function at https://github.com/WebDevStudios/BuddyPress-Registration-Options/blob/4.3.10/includes/core.php#L368-L449 if you’re curious

Not quite sure exactly when I’ll be able to get something pushed out for this, so if you’re wanting/needing a quick fix, I could look into something using this filter, from the https://github.com/WebDevStudios/BuddyPress-Registration-Options/blob/4.3.10/includes/core.php#L492-L512 function.

/**
 * Filter for user-set custom areas of BuddyPress.
 *
 * @since 4.3.0
 *
 * @param bool $allowed Current allowed value.
 */
return apply_filters( 'bprwg_buddypress_allowed_areas', $allowed );

We’re also experiencing this issue. The thing is that we have private network but I have found that not approved members can find members by viewing the comments to blogg posts which are publicly available for anyone. If a member of our site has commented on the blogg post there will be a link to that member’s profile page. So they don’t need to guess profile names.

We have removed the “|| bp_is_user_profile()” part and that seems to work. I hope you’ll include this fix in the next version. ??

Yes, that change mentioned above is included in the intended 4.4.0 release, which is 98% done but want to do one last round of testing before pushing out to everyone.