Hi Jomsocial,

I found a security problem with the profile security. Let me explain..

- User AA setup the profile security [Preference> General > Profile View = Friends], so the user assume only friend can view his/her profile.
- User BB is not a friend of AA, so AA assume BB cannot see AA's profile
However,
- Within the Module>Member's activities , after clicking "View all members" link, BB can see AA on the user list.
- BB also can search user AA from search tool
- BB click AA profile (link) ,BB be able to see AA's active stream, and even "About Me" details.

I assume this should not happening. A normal react for about action should be:
> while BB try to open AA's profile, it gets "access forbidden / invalid access rights, etc" error ...
> or , at least AA's active stream should be hidden ....

Please advise if it's a bug, or some enhancement will be done in later release.

Hi,

Could you provide me backend and FTP access, please? so I need check the code for this...

I tried in my local and seems everything is working fine.

Hi Dimas,

Site info has been provide in my #1 post. please check.

For FTP access, it's currently read only and please let me know which file you would like to modify and I will change permission for you. Thanks. and Please DO NOT install any component / plugins on the site. Thanks for your help.

I tried switching back to default Jomsocial Template and confirm its not caused by my template override, since the problem still there using default template.

Hi,

Thank you for that information, can you provide me the edit and add permission for com_community folder please?

It's done.

I've changed the support ID as the owner of /Components/com_community (and its' subfolders)

Hi,

Please check again I just fix this.. this issue caused by Joomla itself, but I dont know from where, but if I quick check caused by this joomla code :

method_exists('Juser', 'authorise')

Um... I guess the problem is not fixed becasue:

1) I cannot see my own page (Access restricted)
2) I cannot see public / allow member access page (access restricted)
(Seems now everyone page is restricted.

I guess the result needs to be:
a) Myself only , except myself no others can see
b) friends only, except friends, no others can see
c) members only, except members, public cannot see (guest)
d) public, everyone can see.

Please again, I guess the code did something wrong. Thanks and this is urgent now ^^

Hi,

Ehm... maybe from cache.. can you provide ms super user account please? because the current backend doesnt have permission to check the configuration.

thank you

hi,

I just test create the photo video and event, and seems the streams are working fine for them

the ID is not super admin now.

I cleared cache, purged expired cache, and also purged all caches from CDN, same result. I guess it's not something about cache.

Hi,

Can you provide the Super User account please so I can check everything..

thank you

Yes, it's now superadmin now .... (previous typo not > now)

Hi,

Can you check again, I think i already fix this peroperly :)

Just let me know if this issue is still exist

Hi Team,

Thanks for your help to fix this. May I know it is my site isolated issue or the fixes will be included also in next JS release? (eg: 3.2)
p.s. is it safe for me to upgrade when new version available? If not, when should I do for the next upgrade?

Will wait for your advise before closing the topic. Thanks again.