ISSUE SUMMARY:

**BUG** If you move a photo which has private ("me" only) permissions (40 in the #_community_photos - permissions column) into a photo album that is viewable by others (0, 10, 20, or 30 in the #_community_photo_albums - permissions column), the permissions of the photo are ignored and the photo can be viewed within the album.

---

Please note that I have updated modified my .js files so you may want to test this on your local site.

In general, I'm in the process of securing much of the permissions structure with JomSocial. You guys have done a terrific job of implementing a social website which is wide open (i.e. individual users can post videos, pictures, and posts to the entire site - i.e. public) which all the activity is available to all users. However, there is no way of limiting this information.

For example to make sure that the user doesn't have the capability of posting to the entire user base. Facebook and most other sites, don't allow you to post "unsolicited ads" to other people's streams which is what the "public" and "site members" settings allow in the privacy tab.

Although a default privacy setting is an option, I don't believe it's possible to prevent people from changing the status of their post. This is a concern that I believe would make a great addition to your product if you were to choose to solve it.

Hi Devon,

its not at bug. photo view permission based on photo album privacy.

Regards

It is a bug.

The default spot to upload a picture is the stream photo album, which is by default public and unchangeable.

If I upload a photo in my stream and then change the privacy on the photo to only me.
Another user can still go into that album and view the secured file.

Why else would you have the ability to have individual photo permissions both on the website and in the database if you are just going to ignore them.

I'm sorry, it is a bug. It is a gaping hole in the way a user interacts with jomsocial.

If what you say is correct then all photos should have the permission options removed. That's a bigger tearup to the .js and templates than fixing the view permissions.

Hi,

photos do not have their own permissions. all photo privacy is inherited from the album they belong to.
so if you move the photo from album with privacy 40 to album with privacy 10, the image will be available to public.

also, you can restrict non-friends from posting on other people profile & stuff, theres an option for that in backend which is disabled by default
Configuration > Site, Wall section
And status of the post in the stream can be changed

Regards

Hi Devon

Thats the matter i totally agree with you. Indeed, why would we have option to set individual privacy for the photo if we are going to ignore it.
That is the reason why Jomsocial does not have such option to begin with. All photo privacy values are inherited from the album the specific photo belongs to. You can't set the privacy for individual photo. If you did this, it's either a hack or third-party feature.

Also, you can restrict non-friends from posting on other people profiles, images, videos etc.. there is a backend setting for that in Configuration -> Site -> Walls

And finally, after making the post, you can always edit it's privacy.

Thank you for noting that the photo permissions levels do not necessarily match the post permission level. Inherently, this is confusing to a user. When I upload a photo to anything and then make that photo "my friends" or "site users" or "only me", I would expect that the photo permission is also updated since that is the main point of that particular upload. It does raise the question though, when I post and include a photo, do I want the photo permissions to match that of the post. com_community has the ability to do this.

For example:
Upload a picture in stream photos.

Using your database tool of choice, find that picture in #__community_photos

Change the 'permissions' column to "40" (the only me value).

Login to a different JomSocial user account.

go to the profile page where you uploaded the photo

Click on photos, stream photos

Note that even though you changed the permissions of the photo, the individual photo permissions are ignored and you can view the photo. (Note you can also see the lock icon (only me) up on the top right in the modal viewer, so I know you are looking at that information).

Not many users will specifically create a separate album (users are generally lazy) that has a different permission level for their stream photos. So when a user changes their posted photo to "only me" they would expect that other people can't see the photo. How it is implemented now, the user thinks the photo is secure due to the lock icon on the post. Most other users think the photo is secure because they can't see it, but this can be defeated by simply navigating to the album which unforunately

--- ignores the individual photo permissions if they are set ---

I'm really not trying to be argumentative. I can fix this myself, but it's another patch that I have to make.

It is clear that JomSocial was designed to be used in a very open community. Things like global posting which shows up in all users accounts are great for admins, but is a very dangerous power for normal users to have. I can modify activities.php to help with this, but again, this is not a template override, this is a modification to JomSocial's behavior.

I do appreciate all the wonderful features that are in JS, but to truly implement a secure community, you have to think about how people could misuse the product as well as use it. So there are more than a few holes in the permissions system, some of which not easy to modify without the proper tools (ajax forms, default values, etc. have to be run through grunt which I haven't come up to speed yet).

Hi Devon,

photos do not have their own permissions. all photo privacy is inherited from the album they belong to.
please ignore permission field in #__community_photos.

you can put user voice at here:
uservoice.jomsocial.com

Regards