ISSUE SUMMARY:
I have seen the ticket of this Confirmed bug
www.jomsocial.com/forum/events/31597-eve...ng-up-in-photostream

That bug has not been fixed yet.

But I want to report on further bugs connected to that. Photos in private events are not being kept private:

Photos uploaded into the album of a private/closed event can be seen in the following places
- album cover shows in Photos > Event albums to all members, even if they were not invited to the private event
- the whole event album can be accessed by all members, even if they were not invited to the private event
- event name shows there to all members, even if they were not invited to the private event, which breaches the event's privacy
- the photo also appears in the Home page newsfeed of friends who were not invited to the event (from here the whole album can also be accessed)
- the photo can also be seen on the Profile page of the host
- if you view the photo, from here click 'view album' and you will go to part of the private event page, showing event title, event date, host, number of attendees - this breaches the event privacy
- If you click direct on the the event name in the Newsfeed or Profile page the event cannot be viewed, BUT the details can be viewed by the method above.

- Photos uploaded into the stream of private/closed event can be seen from
- Home page newsfeed of friends who were not invited to the event
- the photos can also be seen on the Profile page of the person who posted the photos.
- from Newsfeed if you click on 'Stream photos album' and then 'View Album' you can see Stream photos album, Cover photo, and Event Albums
- some event info can also be viewed here - event title, event date, host, number of attendees

STEPS TO REPLICATE:
1 create a private event
2 post a photo in the stream
3 create an event album and post a photo in there
4 now log on as a friend of the event host, ( the friend has not been invited to the party.)

RESULT Friend can see pictures EVERYWHERE! Friend is upset he wasn't invited to the party as he has seen the details! Friend has also seen private pictures! The only thing the friend doesn't know is address of the event!
EXPECTED RESULT Photos for private events cannot be seen in Photos, Newsfeed, Profile or Events by people who are not invited to the event.

I think this is a very urgent bug. There could be a serious breach of privacy for a Jomsocial user. This needs to be fixed soon!

Hi,

please try this fix:
www.jomsocial.com/forum/events/31597-eve...n-photostream#155223

let me know the result

Regards

Hi,
Before I apply this fix, could you tell me if you believe it will tackle all the bugs I have identified? I do not want to implement a partial fix and have to ask for another fix! The support ticket 31597 does not include all the bugs I found, so I can't tell whether it will fix the problems.

Thank you

Hi,

its a bug. please wait for the fix.

Regards

Hi,

here the fix:

unzip that file and put it at:
/components/com_community/controllers/photos.php
/components/com_community/controllers/system.php
/components/com_community/helpers/access/events.php
/components/com_community/templates/jomsocial/layouts/album/list.php
/components/com_community/templates/jomsocial/layouts/events/single.php

FYI:
the old one that is hanging in the stream wont be gone due to the bug. but newly added one will be properly handled

Regards

Hi,

This bug is not completely fixed......

Users can still access the photo and Event details by several ways via Event Albums:

- album cover shows in Photos > Event albums to all members, even if they were not invited to the private event
- the whole event album can be accessed by all members, even if they were not invited to the private event
- event name shows there to all members, even if they were not invited to the private event, which breaches the event's privacy
- the photo can also be seen via the Profile page of the host by going to Photos, Event Albums
- from here click 'view album' and you will go to part of the private event page, showing event title, event date, host, number of attendees - this breaches the event privacy

Please can you test fixes before you release them.....? I listed in a lot of detail a lot of scenarios where the photo and event information could be found! Surely a fix should be tested against everything that was listed in the support ticket before you release it?! It is annoying for us to implement a fix and re-test it and discover that the fix does not work! I hope you understand!

Thank you.

Hi,

before I sent, the fixhas been tested at my test site.
I need your FTP access detail. currently your FTP only for dev3 site. I need dev4 FTP.

I want to check, the fix properly applied or not.

Regards

I have added the FTP details by editing the first post

Hi,

sorry back to you again. I need login for registered user. I want make some test at your site.
I created test user from backend, but I cant login with that. seem your site having unique flow.

Regards

Also, now one of our users has reported that 'likes' for a private event are showing in the activity stream for people who aren't invited.

Please. When an event is private it is important that everything is private? We can't test every aspect of Jomsocial every time there is an upgrade.

Hi,

our developer still on this issue. sorry for this inconvenience.

Regards

Hi,

about liked event appear at public stream, this is by design.
"Invitation only" does not mean this item can't be seen by those that are not invited, it merely stands for "you can join this event only if you have invitation, or your invitation request is accepted"

If non atendees can't see it, how will they ever request an invitation?

Regards

Albertus,

There are two 'privacy' options when creating an event
- invitation only
- hide on list of events.

The 'invitation only' option means that a member must ask permission to join. That is for events that the Event Owner wants to publicise, but wants to have control over who attends.

The second option 'hide on list of events' is designed to make the event completely private so that non-guests cannot see the event or ask to join if they are not already invited.

I know this, because I have corresponded at length with Jomsocial/Sinisa/Michal/Paul for 2 years on the need for privacy of these type of events! Everything about an event should be hidden from non-guests if the Event Owner chooses 'hide on list of events
i.e. nothing about the event should appear in Activity Stream (including likes & photos). Nor should it show on the Profile of Event Owner or guests, Albums, Event lists, or anywhere else to people who are not invited.

There is no way that is can be correct design that if you make an event 'hidden' from the event list that likes for the event will show publicly in Activity Stream??

On my website, the need for event privacy is because people want to be able to have private parties like birthday parties. They want to invite 10 friends, and they don't want their other friends to be offended that they are not invited. Like on Facebook, when you make things private? You don't want to invite people to your private party, and then non-guests see there is a party because they see likes on Activity Stream?

Michal also told me that other website owners use Jomsocial events for 'adult' private parties, and they need them to be totally private and completely hidden from non-guests too!!

I am really frustrated that I am having to point out why it is wrong that a 'like' for a private event to show the people who are not invited. And the Event Albums need to be private too.

I also think the check box 'hide on list of events' should say 'Private event - hide from non-guests' as everything about the event should be private.

I hope you understand and we can get these privacy issues resolved quickly please. Thank you very much.

Hi, Susan.

I passed this issue to Sinisa. Your understanding of 'hide on list of events' is correct.
Originally Albertus provided wrong replication steps and report was rejected by Sinisa.
As for my words, adult site need to be completely private but this is achieved in different way and it's not related with current issue ;)

Let's wait for Sinisa response. I assign myself to this thread.