Bought it now for testing purposes (and hope to get a refund if I have to experience it´s unsafe for anonymous use ) and found the first 2 issues.
Two functional design issues:
On quickthread the anonymous function is missing (only available in extended editor mode)..
View attachment 199893
..and this better should look like this:
View attachment 199894
On quickreply the location of the function breaks the design:
View attachment 199895
..and this better should look like this:
View attachment 199896
I´ll post those issues only here, Truong, since there is a greater interest in this addon and people are following here. Trying to test this addons functionality the upcoming days and will post follow-ups, as soon I have found something.
A critical design error:
when a usergroup has the permissions "[tl] Anonymous Posting: Can view " set to yes - like admins and moderators will have - and look at a originally anonymous post, they don´t see that it´s an anonymous post! Instead they see the real user and his real profile. If they now answer to that post, they most likely will use the original poster real name in the thread "Hello [username], .. " and will reveal the users identity with that. This has to be changed, else the whole add-on isn´t useable.
I´ld recommend to use the anonymous profile even for usergroups with the permission set to yes - but show them a link "Original author: [username]" as replacement for the "Guest"-usergroup in the profile block [the usergroup title is even incorrect, since the user is of course a member].
Beside the already posted critical error above, there are several other critical bugs which make me consider this add-on in the current state as unsafe to use, failing in the main tasks.
Using the native XF:
Using [TH] Question & Answers:
- Likes: all like-actions in threads from an author who uses the anon-function in this thread will be performed by the main user, revealing their real identity.
- when a user has posted with the anon-function, he is able to post with his primary real account in this thread. This will be abused to start flame-wars, for trolling, for answering/up or downvoting own posts/threads or simply to fool other members. This is the very last thing you wanna have in your forums! Users have to be forced to use the already - in this thread used for a reply/like/vote - used account automaticly for all other actions in this thread. If they have started with their primary account, there has to be a function to prevent that they are using the anon-function in this thread. If they start with the anon-function - vice versa - they can´t be allowed to use the primary account.
Testing continues.
- Using "mark answer as best answer" while being the anonymous thread starter reveals your identity to the author of the best answer.
- Up or downvoting a post is performed by the primary account, not the anonymous one (same problem as #2 while using a native XF: the account has to be forced to be used automaticly, which was used already in the thread!)
The mod author is very quick to fix bugs that are found but unfortunately this mod has a fundamental flaw and in my opinion will NEVER be safe to use for true anonymity to your users, the risk of their real account being revealed is orders of magnitude too high for me to use on my sight.
The flaw is this... Ultimately when an "anonymous" post is made, it is still recorded as being made by the user who made it. In the database it is the user who made it recorded as the author. The mod does everything it came to actively change that to "Anonymous" and actively hide anything that could possibly link back to the real user... Activity feeds, reactions, post history, etc... But no matter how many you think you have fixed, there's likely something you forgot. Worse, should the mod ever break or need to be disabled EVERY anonymous post will immediately revert back to the original poster. That is simply unacceptable risk.
The only safe way to make an Anonymous mod is a mod where you create a new user called "Anonymous" (or whatever you want) and you specify the username or userid of the anonymous user in the mod settings. Now anytime an anonymous post is made the post is credited to the "anonymous" user- therefore if the mod ever needs to be disabled new anonymous posts can't be made but old ones will not betray the real author. This is how the vBulletin anonymous mod works. I realize it may not be possible with Xenforo, and if that is true, than XF simply can't have an anonymous mod... but this... this simply isn't safe.
The mod author works hard to fix but unless this can be fundamentally designed to work as described it can never be safe.
Notable changes:
- Added new option to show/hide anonymous ID
- Fixed quote post can reveal anonymous identifier.
In the new version the post does not assign to origional poster.The flaw is this... Ultimately when an "anonymous" post is made, it is still recorded as being made by the user who made it.
Confirmed. Unforrunal the option for the anon function is now missing again on the most used functions (quick reply and quick thread) - and all subsequent actions in this thread are made publicly by the real user, which reveals his identity :/In the new version the post does not assign to origional poster.
Subactions like reactions? I dont think it is belong to this add-onConfirmed. Unforrunal the option for the anon function is now missing again on the most used functions (quick reply and quick thread) - and all subsequent actions in this thread are made publicly by the real user, which reveals his identity :/
Notable changes:
- Added new option which allow assign anonymous to specific user
- Added notice block anonymous post
If that´s the case, - as stated in my first post in this thread - I`ld like to ask for a refund since in our forums and use case it would be irresponsible to offer this.I dont think it is belong to this add-on
What are "subsequent actions?" I mean I would expect they should be able to reply as themselves or as anonymous? Is that not the case?Confirmed. Unforrunal the option for the anon function is now missing again on the most used functions (quick reply and quick thread) - and all subsequent actions in this thread are made publicly by the real user, which reveals his identity :/
Regarding posting it is, even when the checkbox has to be ticked with every post, else the user is posting with his real user account. With subsequent actions I was referring to reactions. It has been already mentioned before, that the problem is mainly that the anonymous user is a virtual one. For some this may be enough for their users, because the purpose is rather trivial. In our use case and for our users, such an accidental "exposure" would have very serious and far-reaching consequences, which would probably be most appropriate to describe as "devastating".I mean I would expect they should be able to reply as themselves or as anonymous? Is that not the case?
Any checkbox could easily be edited to be checked by default I suppose. But people want to be anonymous not too much to ask to check a box IMO.Regarding posting it is, even when the checkbox has to be ticked with every post, else the user is posting with his real user account. With subsequent actions I was referring to reactions. It has been already mentioned before, that the problem is mainly that the anonymous user is a virtual one. For some this may be enough for their users, because the purpose is rather trivial. In our use case and for our users, such an accidental "exposure" would have very serious and far-reaching consequences, which would probably be most appropriate to describe as "devastating".
What does "Show anonymous ID?" do in the new version?
A critical design error:
when a usergroup has the permissions "[tl] Anonymous Posting: Can view " set to yes - like admins and moderators will have - and look at a originally anonymous post, they don´t see that it´s an anonymous post! Instead they see the real user and his real profile. If they now answer to that post, they most likely will use the original poster real name in the thread "Hello [username], .. " and will reveal the users identity with that. This has to be changed, else the whole add-on isn´t useable.
I'd recommend to use the anonymous profile even for usergroups with the permission set to yes - but show them a link "Original author: [username]" as replacement for the "Guest"-usergroup in the profile block [the usergroup title is even incorrect, since the user is of course a member].
In general we have Anonymous (XXX) so that option just hide the (XXX)What does "Show anonymous ID?" do in the new version?
We use essential cookies to make this site work, and optional cookies to enhance your experience.