Private threads

Private threads [Paid] 2.0.4

No permission to buy ($20.00)

Snog

Well-known member
Snog submitted a new resource:

Private threads - Create threads only invited members can view in XenForo 2

Private threads allows users to create threads that can't be viewed by members unless they have been invited to view the thread.

FEATURES:
  • Prepend/Append text to thread titles
  • Change existing threads to private threads
  • Change private threads to public threads
  • Alert members when they are included in a private thread
  • Add/Remove members after the thread is created
NOTE: For security reasons admins can view all private threads. Moderators can not. Only the...
Read more about this resource...
 

Snog

Well-known member
A word of warning about upgrading from the XenForo 1.x version of this add-on (Thread level permissions).

BEFORE upgrading to XenForo 2, place your existing private threads into moderation by disabling the XenForo 1.x version of the add-on. If you don't do this, all of your XenForo 1.x version private threads will be visible to all members in XenForo 2 until you upgrade to this version of the add-on. When you upgrade to this version, any existing private threads will remain private and be taken out of moderation during the upgrade process.
 

Nirjonadda

Well-known member
@Snog Can be add user after thread created from thread view, as well show who user are allowed to this thread? Also user are get Alerts about the Private threads are added to you. Thread starter and user allowed can be invite more user.

Example:

 

Snog

Well-known member
@Snog Can be add user after thread created from thread view, as well show who user are allowed to this thread? Also user are get Alerts about the Private threads are added to you. Thread starter and user allowed can be invite more user.

Example:

From the add-on description:
features.png

Yes, you see who is participating:
07.png
 

AnimeAi

Member
This would be useful to me if all members could view but only specified members could post in the thread (roleplay forum). Any chance of this in a future version?
 

Snog

Well-known member
This would be useful to me if all members could view but only specified members could post in the thread (roleplay forum). Any chance of this in a future version?
That's pretty much the direct opposite of what this add-on does. I don't see it being included in this one, but possibly a different add-on.
 

Peter Cox

Active member
You should be aware that Moderators are excluded from seeing private threads, which is a big problem for us. It would be so nice to have this made optional, i.e. so the admin could decide whether mods could see private threads or not.
 

Snog

Well-known member
You should be aware that Moderators are excluded from seeing private threads, which is a big problem for us. It would be so nice to have this made optional, i.e. so the admin could decide whether mods could see private threads or not.
That is intentional and it is in the add-on overview. The fact that moderators can't view private threads has never been hidden.
 
  • Like
Reactions: Xon

Peter Cox

Active member
That is intentional and it is in the add-on overview. The fact that moderators can't view private threads has never been hidden.
Fair enough. We didn't quite appreciate the impact of having mods entirely locked out of threads in their own forums, though.

It's a nice addon. But it does break the organizational chart hierarchy within forums quite badly - users can lock mods out of certain areas, and that can't be good.

Would very much like to see this "feature" admin-settable, i.e. let admins decide whether they want mods to see private threads - or not.
 

Snog

Well-known member
Fair enough. We didn't quite appreciate the impact of having mods entirely locked out of threads in their own forums, though.

It's a nice addon. But it does break the organizational chart hierarchy within forums quite badly - users can lock mods out of certain areas, and that can't be good.

Would very much like to see this "feature" admin-settable, i.e. let admins decide whether they want mods to see private threads - or not.
The original requirements set by the person that commissioned the add-on for the original XF 1 version included that moderators not be able to view private threads without being invited to them.

For the person that originally commissioned the add-on, allowing moderators to view the threads could pose a high personal security risk for the people in the threads.

I'll think about adding it, but I don't guarantee it will be added. Just the presence of that option and the possibility of it being accidentally toggled on could cause problems.
 
Last edited:

Peter Cox

Active member
For the person that originally commissioned the add-on, allowing moderators to view the threads could post a high personal security risk for the people in the threads.
Yes, I can see that there could be reasons for wanting threads to be absolutely private. I suspect most forums, though, do need their mods to have a measure of discrete control over what's going on in "private". Otherwise, I could see a lot of problems developing.

Be nice to have the option.
 

Anthony Parsons

Well-known member
I suspect most forums, though, do need their mods to have a measure of discrete control over what's going on in "private".
Yep. I looked at this addon, then reading it is restricted to admins only, worthless in purchasing. Mods should be a permission, regardless the original investors original requirements. You are selling this yourself now, so it should, IMHO, be an option, thus more sales for you.
 

Betclever

Active member
@Snog

Can we choose a group instead of/and users?
If not, can you add this feature cause adding the group "premium" will be great in my case?
 

usAdultAds

Active member
The original requirements set by the person that commissioned the add-on for the original XF 1 version included that moderators not be able to view private threads without being invited to them.

For the person that originally commissioned the add-on, allowing moderators to view the threads could pose a high personal security risk for the people in the threads.

I'll think about adding it, but I don't guarantee it will be added. Just the presence of that option and the possibility of it being accidentally toggled on could cause problems.
This is why legal disclaimers are put on websites to hold the forum, owners, admin, mods harmless of any damages, and this certainly falls under safety and trust; the last thing a site wants is to be accused of harboring terrorist conversations that no one can access. If someone wants total privacy, then they should go and set up their own forum, then they do not have to worry about such things "what could happen" or "what if" If you are on my property, then I expect you to follow my rules, and the forum is no different, otherwise, you have the right to leave, and not use the site.
just say'n...

now for my question. Can private threads by restricted to certain categories? I am not going all over the forum looking for private conversations, so I would need to strict access to a certain user group, for certain category, then I think it would work just fine.

Thanks
 
Last edited:

Snog

Well-known member
Can private threads by restricted to certain categories? I am not going all over the forum looking for private conversations, so I would need to strict access to a certain user group, for certain category, then I think it would work just fine.
You can restrict it a any permission level you like. So in this case, you would set the permission at the category level for the user group you want to be able to create private threads.
 

DragonByte Tech

Well-known member
This is why legal disclaimers are put on websites to hold the forum, owners, admin, mods harmless of any damages, and this certainly falls under safety and trust; the last thing a site wants is to be accused of harboring terrorist conversations that no one can access. If someone wants total privacy, then they should go and set up their own forum, then they do not have to worry about such things "what could happen" or "what if" If you are on my property, then I expect you to follow my rules, and the forum is no different, otherwise, you have the right to leave, and not use the site.
just say'n...
I'll throw my 2p in; disclaimers are 100% pointless when you are dealing with people and not legal entities. Sure, you're absolutely right in saying that if the police demands access to the thread you should acquiesce, but what about if it's more about personal embarrassment to one of the members of the site rather than a legal question?

When we as addon developers contemplate adding a feature to a mod, we have to ask ourselves "how can this option be misused? Do the benefits of adding this feature outweigh the potential negatives?"

For instance, let's say you've developed an addon for automatically archiving threads older than X days in the AdminCP. A little bit later, someone says "hey, it would be great if we could give this option to moderators too".

Sounds reasonable enough, and the damage is minimal as the mod would automatically replicate the forum structure in an archive category or whatnot, so if it gets misused you can always just move the threads back and fire that moderator.

Then someone asks for the ability to delete the threads instead of archiving them. Now all of a sudden you have to consider the scenario of someone having enabled the feature for moderators AND enabled the delete option. Undeleting hundreds, if not thousands of threads would be a really time consuming job.

Then, to take it even further, they ask for the ability to hard delete threads. Now you are faced with the possibility of permanent data loss as a result of a misconfiguration either accidentally or by a malicious administrator.

If I was the addon developer, I would reject this feature request unless the majority of users / customers were in support of this feature. Even if I added a million "are you sure, are you really really sure, this is more dangerous than jumping into a sea of hungry lions made of lava" popups, someone would have their forum wiped out. All it takes is one person posting "My forum got wiped out as a result of your mod" and suddenly your reputation as an addon developer is damaged (even if it's only in a small way).

As developers, part of our jobs is to think of worst-case scenarios. How can feature X be exploited? How can it be misused? Is this feature vulnerable to some form of exploit, be it SQL Injection, XSS (cross site scripting) or social engineering?
We have to evaluate the pros and cons of every feature to decide whether it's worth adding.

A feature whose only purpose is to cause permanent data loss would not have enough pros to offset the obvious con of "someone's entire site is wiped out, permanently, unless they have a backup".

----
To bring it back to the actual feature in question here: if it was possible for moderators to implicitly bypass privacy restrictions, the entire addon is vulnerable to a social engineering exploit by simply having a malicious party talk a moderator into revealing something from the private thread that could be used against the participants.

Even if there were no malicious intent, another possible scenario could be that a moderator is friends with someone who's being discussed in a private thread, and feels a stronger sense of duty to their friend than they do to the rules of the site. A forum is, after all, not a job where there's real legal ramifications for breaches of operational security.

Those are two very serious potential outcomes that I thought off as I was writing this post, with no actual serious thought or planning. I'm sure if I, or others who are smarter than me, spent more time thinking of ways this feature could go wrong, more potential problems would arise.

----
This post is not meant as a "callout", I am trying to add a bit more context as to why a developer might reject a given feature. It's not that we're lazy or we don't have perfect vision of how brilliant this feature would be and how we would sell fimto-twen bajillion copies if we just added this feature :p


Fillip
 
Top