Skip to:
Content
Pages
Categories
Search
Top
Bottom

bbpress user profile pages are not secure – need workaround

  • @pixeldrum

    Member

    In my profile page bbpress states:

    “This is how your profile appears to a logged in member.”

    <b>You don’t have to be logged in to see a user profile page.</b> I’ve tried this with other member names in the forums in different browsers with cleared out caches. You can see any member profile with the direct URL: http://bbpress.org/forums/profile/username (Try this with any valid user name)

    (Could it be that this security hole causes a lot of spam attacks?)

    On my site, until I did some tweaking with a membership plugin you could not only access the bbpress profile, but also edit the user profile, change the password, whatever. Now that this is more secure I can give an example:

    http://kyebay.ca/forums/admin/Fritzi (styles fall apart)

    I want to redirect author links to a custom bbpress profile page with proper site styles applied and separate the user profile from the bbpress profile.

    How can that be done? Can you point me to the code I need to use? I could really use some help with this. I’ve posted on this matter in another topic, which had no response, because I may not have described the problem properly. Using WP 3.4 with updated Twenty Eleven theme. Please advise.

Viewing 4 replies - 1 through 4 (of 4 total)
  • @johnjamesjacoby

    Keymaster

    User profiles are always public, and no – you cannot edit a profile that is not yours unless you are a keymaster.

    If it was a security hole (which it’s not) posting about it in a public forum is a no-no.

    The “…This is how your profile…” string is part of bbPress 1.1, and not part of 2.0, but I see you’re using 2.0 on your site.

    All of this, makes me confused. :)

    @pixeldrum

    Member

    Now I am getting confused. I could have sworn that I replied to your post John a few days ago… but I don’t see it.

    Here it is again then, my apologies, I didn’t mean to transgress a forum convention. Still, if at all possible, I’d like some direction as to how I can block access via direct URL to user profiles. From user profiles someone can track back to posts attributed to the user and use and post via that ‘back door’.

    I have bbpress installed and protected (I thought) behind the membership wpmudev.org membership plugin and want the forum area available for specific members only including the profile information. What files need to be customized to make this possible?

    I can block posts and content in pages with short-codes from the membership plugin, but I don’t know where I would place those within the structure of bbpress. Is there a way, please? I am not a coder, but have friends who are I just need to be pointed to the files that are involved in getting this done. Thanks for ANY help with this matter.

    @pixeldrum

    Member

    Wanted to let you know that bbpress profiles, forums and topics CAN be secured. After searching for the solution I found it today. Using the WPMU Membership Premium Plugin I could secure the site by using/blocking URL groups and regular expressions.

    I also learned that bbpress is a very good forum, but it is meant to be used as a public forum and therefore I couldn’t expect to be able to secure it from within bbpress. I was thrilled to find out that the membership plugin by WPMU is versatile enough to effectively secure bbpress behind a single login.

    @johnjamesjacoby

    Keymaster

    Privacy and security are two very different things. bbPress is meant to be whatever you need it to be, by playing nicely with other plugins.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.
Skip to toolbar