XF 2.2 Privacy options do not work as expected

Kirby

Well-known member
Steps to reproduce
  1. Enter an identity like Facebook, Skype, etc. in you account details
  2. Set privacy option Allow users to View your identities = Nobody
  3. Edit this field in ACP and enable option Viewable in message user info
  4. Modify style property Message user info elements to include Custom fields
  5. View one of your posts as guest
Expected Result
The identity is not being shown

Actual Result
The identitiy is being shown

IMHO one of those possible changes should be made:
  1. Add information on the privacy options page indicating that Allow users to View your identities does only affect display of identities when viewing the full profile
  2. Identity custom fields are not being shown in message user info if the viewing user does not have permission to view them in profile
  3. Add Information to the account details page indicating fields that might be visible publically although the user has set restrictions on accessing his profile
 
We cannot reproduce this.

The display of custom fields in the "Contact details" group is gated behind the relevant permission checks (see message_macros template):

HTML:
<xf:if is="$extras.custom_fields">
   <xf:macro template="custom_fields_macros" name="custom_fields_values"
      arg-type="users"
      arg-group="personal"
      arg-set="{$user.Profile.custom_fields}"
      arg-additionalFilters="{{ ['message'] }}"
      arg-valueClass="pairs pairs--justified" />
<xf:if is="$user.canViewIdentities()">
   <xf:macro template="custom_fields_macros" name="custom_fields_view"
      arg-type="users"
      arg-group="contact"
      arg-set="{$user.Profile.custom_fields}"
      arg-additionalFilters="{{ ['message'] }}"
      arg-valueClass="pairs pairs--justified" />
</xf:if>
</xf:if>

The cases where what you've reported may happen would be:

1) The custom fields you tested against were not in the contact group
or
2) You have guest page caching enabled and you hit a cached page after setting the permission.
 
Top Bottom