[tl] Anonymous Posting

[tl] Anonymous Posting [Paid] 1.1.1

No permission to buy ($30.00)

Dynamic

Well-known member
Can the anonymous posting be set as a default permission on a per-forum basis? So, it will not need a tickbox checked. That way it can force it on users on specific nodes.

Thanks.
 

Sperber

Well-known member
@truonglv ,

I´ve posted these critical bugs and design flaws 5 months ago. Have you been able to adress them or remains this add-on still unsafe for use?

Bought it now for testing purposes (and hope to get a refund if I have to experience it´s unsafe for anonymous use ;) ) and found the first 2 issues.

Two functional design issues:

On quickthread the anonymous function is missing (only available in extended editor mode)..
View attachment 199893

..and this better should look like this:
View attachment 199894


On quickreply the location of the function breaks the design:
View attachment 199895

..and this better should look like this:
View attachment 199896

I´ll post those issues only here, Truong, since there is a greater interest in this addon and people are following here. Trying to test this addons functionality the upcoming days and will post follow-ups, as soon I have found something.
A critical design error:
when a usergroup has the permissions "[tl] Anonymous Posting: Can view " set to yes - like admins and moderators will have - and look at a originally anonymous post, they don´t see that it´s an anonymous post! Instead they see the real user and his real profile. If they now answer to that post, they most likely will use the original poster real name in the thread "Hello [username], .. " and will reveal the users identity with that. This has to be changed, else the whole add-on isn´t useable.

I´ld recommend to use the anonymous profile even for usergroups with the permission set to yes - but show them a link "Original author: [username]" as replacement for the "Guest"-usergroup in the profile block [the usergroup title is even incorrect, since the user is of course a member].
Beside the already posted critical error above, there are several other critical bugs which make me consider this add-on in the current state as unsafe to use, failing in the main tasks.

Using the native XF:
  1. Likes: all like-actions in threads from an author who uses the anon-function in this thread will be performed by the main user, revealing their real identity.
  2. when a user has posted with the anon-function, he is able to post with his primary real account in this thread. This will be abused to start flame-wars, for trolling, for answering/up or downvoting own posts/threads or simply to fool other members. This is the very last thing you wanna have in your forums! Users have to be forced to use the already - in this thread used for a reply/like/vote - used account automaticly for all other actions in this thread. If they have started with their primary account, there has to be a function to prevent that they are using the anon-function in this thread. If they start with the anon-function - vice versa - they can´t be allowed to use the primary account.
Using [TH] Question & Answers:
  1. Using "mark answer as best answer" while being the anonymous thread starter reveals your identity to the author of the best answer.
  2. Up or downvoting a post is performed by the primary account, not the anonymous one (same problem as #2 while using a native XF: the account has to be forced to be used automaticly, which was used already in the thread!)
Testing continues.
 

BirdOPrey5

Well-known member
The mod author is very quick to fix bugs that are found but unfortunately this mod has a fundamental flaw and in my opinion will NEVER be safe to use for true anonymity to your users, the risk of their real account being revealed is orders of magnitude too high for me to use on my sight.

The flaw is this... Ultimately when an "anonymous" post is made, it is still recorded as being made by the user who made it. In the database it is the user who made it recorded as the author. The mod does everything it came to actively change that to "Anonymous" and actively hide anything that could possibly link back to the real user... Activity feeds, reactions, post history, etc... But no matter how many you think you have fixed, there's likely something you forgot. Worse, should the mod ever break or need to be disabled EVERY anonymous post will immediately revert back to the original poster. That is simply unacceptable risk.

The only safe way to make an Anonymous mod is a mod where you create a new user called "Anonymous" (or whatever you want) and you specify the username or userid of the anonymous user in the mod settings. Now anytime an anonymous post is made the post is credited to the "anonymous" user- therefore if the mod ever needs to be disabled new anonymous posts can't be made but old ones will not betray the real author. This is how the vBulletin anonymous mod works. I realize it may not be possible with Xenforo, and if that is true, than XF simply can't have an anonymous mod... but this... this simply isn't safe.

The mod author works hard to fix but unless this can be fundamentally designed to work as described it can never be safe.
 

Gossipy

Active member
The mod author is very quick to fix bugs that are found but unfortunately this mod has a fundamental flaw and in my opinion will NEVER be safe to use for true anonymity to your users, the risk of their real account being revealed is orders of magnitude too high for me to use on my sight.

The flaw is this... Ultimately when an "anonymous" post is made, it is still recorded as being made by the user who made it. In the database it is the user who made it recorded as the author. The mod does everything it came to actively change that to "Anonymous" and actively hide anything that could possibly link back to the real user... Activity feeds, reactions, post history, etc... But no matter how many you think you have fixed, there's likely something you forgot. Worse, should the mod ever break or need to be disabled EVERY anonymous post will immediately revert back to the original poster. That is simply unacceptable risk.

The only safe way to make an Anonymous mod is a mod where you create a new user called "Anonymous" (or whatever you want) and you specify the username or userid of the anonymous user in the mod settings. Now anytime an anonymous post is made the post is credited to the "anonymous" user- therefore if the mod ever needs to be disabled new anonymous posts can't be made but old ones will not betray the real author. This is how the vBulletin anonymous mod works. I realize it may not be possible with Xenforo, and if that is true, than XF simply can't have an anonymous mod... but this... this simply isn't safe.

The mod author works hard to fix but unless this can be fundamentally designed to work as described it can never be safe.
Agree with everything you said.

And it is possible - at least it was until 2.0. As I've posted before, we were using the anonymous posting add-on that @xfrocks made. Other than a period where we had a glitch and had to get some custom work done to fix it, it was doing what we needed. Sadly upgrading to XF2 killed it.
 

Sperber

Well-known member
In the new version the post does not assign to origional poster.
Confirmed. Unforrunal the option for the anon function is now missing again on the most used functions (quick reply and quick thread) - and all subsequent actions in this thread are made publicly by the real user, which reveals his identity :/
 

truonglv

Formerly Nobita.Kun
Confirmed. Unforrunal the option for the anon function is now missing again on the most used functions (quick reply and quick thread) - and all subsequent actions in this thread are made publicly by the real user, which reveals his identity :/
Subactions like reactions? I dont think it is belong to this add-on
 

BirdOPrey5

Well-known member
Confirmed. Unforrunal the option for the anon function is now missing again on the most used functions (quick reply and quick thread) - and all subsequent actions in this thread are made publicly by the real user, which reveals his identity :/
What are "subsequent actions?" I mean I would expect they should be able to reply as themselves or as anonymous? Is that not the case?
 

Sperber

Well-known member
I mean I would expect they should be able to reply as themselves or as anonymous? Is that not the case?
Regarding posting it is, even when the checkbox has to be ticked with every post, else the user is posting with his real user account. With subsequent actions I was referring to reactions. It has been already mentioned before, that the problem is mainly that the anonymous user is a virtual one. For some this may be enough for their users, because the purpose is rather trivial. In our use case and for our users, such an accidental "exposure" would have very serious and far-reaching consequences, which would probably be most appropriate to describe as "devastating".
 

BirdOPrey5

Well-known member
Regarding posting it is, even when the checkbox has to be ticked with every post, else the user is posting with his real user account. With subsequent actions I was referring to reactions. It has been already mentioned before, that the problem is mainly that the anonymous user is a virtual one. For some this may be enough for their users, because the purpose is rather trivial. In our use case and for our users, such an accidental "exposure" would have very serious and far-reaching consequences, which would probably be most appropriate to describe as "devastating".
Any checkbox could easily be edited to be checked by default I suppose. But people want to be anonymous not too much to ask to check a box IMO.
 

BirdOPrey5

Well-known member
Playing with 1.08 and happy to see the option to assign anonymous posts to a specific user, seems to work, verified post in database now shows as the anonymous user. Great update.
 

Gossipy

Active member
What does "Show anonymous ID?" do in the new version?
Agree; would someone explain what that means?

I assume it refers to this:

A critical design error:
when a usergroup has the permissions "[tl] Anonymous Posting: Can view " set to yes - like admins and moderators will have - and look at a originally anonymous post, they don´t see that it´s an anonymous post! Instead they see the real user and his real profile. If they now answer to that post, they most likely will use the original poster real name in the thread "Hello [username], .. " and will reveal the users identity with that. This has to be changed, else the whole add-on isn´t useable.

I'd recommend to use the anonymous profile even for usergroups with the permission set to yes - but show them a link "Original author: [username]" as replacement for the "Guest"-usergroup in the profile block [the usergroup title is even incorrect, since the user is of course a member].
 

Peter Cox

Active member
Sorry, but the permissions seem really confused on this plugin.


* On “Registered” usergroup – set permissions to Can Use

* Analyze Permissions – shows that a Registered user in the designated forum CAN use

* However, the checkbox is simply not showing up!

* It DOES show up if a secondary usergroup is added to the user’s profile. But the secondary usergroup doesn't have any permissions set for this plugin.


Could you please assist?
 
Top