[webmasterfreya]

WP 5.3.2
BBpress 2.6.4
Buddypress 5.1.2 (with private forums)

Hi,

When entering a registered user name via [bbp-search], messages from this user are shown eventhough they are in a private forum and the requesting user is NOT a member of that group.
This clearly violates the privacy and should not be happening.

I have removed all occurences of [bbp-search] , and with that lost the ability to search through the forums.

To test
– create 2 users (eg user-1, user-2)
– Make user-1 member of a private forum (forum-1) and create a topic and some replies.
– Make user-2 member of anothher private forum (forum-2) and create a topic and some replies.

– create a testpage with content [bbp-search], publish
– login with user-1
– got to testpage and search for user_2

No messages should show up, but i’m afraid they will.

Could anyone please try and get back here to share the result?

[Mike Straw]

I’ve got the same issue with a BuddyPress/bbPress installation with private groups that have private forums. Forum search searches ALL the forums, whether they’re private or not and whether the user should be able to see that forum.

I deactivated forum search from WP Admin (Settings > Forums > Allow forum wide search) until there’s a way to close this security hole.

[webmasterfreya]

Thanks Mike.

[webmasterfreya]

This looks far better:

https://github.com/r-a-y/bbp-single-forum-search