gVectors Team

Professional WordPress Plugins and Services. wpDiscuz, WooDiscuz, Advanced Post Pagination

Forums
wpForo Addons Suppo...
wpForo Official Add...
wpForo User Custom ...
User Group and User...
 
Notifications
Clear all

User Group and User Groups Secondary

 
Page 1 / 2
wpForo User Custom Fields
Last Post by mhit 10 months ago
14 Posts
4 Users
0 Likes
3,065 Views
RSS
Posts: 31
 Tim Rodman
Customer
Topic starter
Jun 05, 2020 7:52 am
(@tim40)
Member
Joined: 7 years ago

I just upgraded to wpForo 1.7.7 and wpForo - User Custom Fields 2.0.1

I'm having a MAJOR issue with the User Group and User Groups Secondary fields. There fields are on the Account tab and they were only available to the admin usergroup previously. But now the User Group field isn't available to anyone (including admin) and the User Groups Secondary field is available to everyone.

Luckily a user pointed out the User Groups Secondary field to me. The fact that it's available to everyone is a major security breach since I have some private forums that only certain people should have access to. Currently they are able to give themselves access.

I have temporarily removed the User Group and User Groups Secondary fields from the Account tab until I can figure out how to make them both visible to admin and admin only.

13 Replies
1 Reply
 Tom
Admin
(@tomson)
Joined: 9 years ago

Famed Member
Posts: 4173
Jun 05, 2020 9:29 am
Reply toTim Rodman

Navigate to Members Fields > Field Manager Tab, edit the Secondary Usergroup and manage access to that field. Then navigate Tab Manager > Account Tab and add it back.

Reply
Posts: 4173
 Tom
Admin
Jun 05, 2020 9:27 am
(@tomson)
Famed Member
Joined: 9 years ago

Hi @tim40,

Please add the Secondary Usergroup back and manage the permissions. When you edit the Secondary usergroup you'll see new options to manage access.

Reply
Posts: 31
 Tim Rodman
Customer
Topic starter
Jun 06, 2020 5:46 am
(@tim40)
Member
Joined: 7 years ago

I tried that with the User Groups Secondary field, but it didn't seem to do anything. Two problems:

Even if I only give access to the 0 Deactivated Usergroup (see screenshot below), a user who is not in that Usergroup can still see the field on their Account tab when I add the field to the Account tab.

Actually, I would prefer to uncheck everything in the Who can see? section so only the Admin Usergroup would have access, but when I do that and go back in, everything is checked.

image
Reply
Posts: 31
 Tim Rodman
Customer
Topic starter
Jun 08, 2020 11:24 pm
(@tim40)
Member
Joined: 7 years ago

Looks like this is a problem with regular Text Custom Fields as well. I just used the Duplicate field option to copy an existing custom field called Old Username to a new custom field called Special Instructions.

Now all of a sudden the Old Username field is visible to everyone where previously it was only visible to Admin.

Same problem as my User Groups Secondary field in that I can't uncheck everything in the Who can view? section to only give access to Admin because it re-checks everything the next time I go in.

So, I tried only giving access to the 0 Deactivated Usergroup like this:

image

Then I login as someone who does not have access to the 0 Deactivated Usergroup and they can still see my custom field:

image

Bottom line, I don't think security is working on custom fields anymore. Bug?

Reply
1 Reply
Astghik
 Astghik
Admin
(@astgh)
Joined: 6 years ago

Illustrious Member
Posts: 5923
Astghik - Facebook Astghik - X.com
Jun 10, 2020 3:11 pm
Reply toTim Rodman

@tim40,

The who can view option is designed to make it hidden or visible on the profile tabs. It doesn't have any relation to the account tab.

The solution: if you want to hide it, you just need to remove the field. Then as an admin manage it from the dashboard.

Reply
Posts: 31
 Tim Rodman
Customer
Topic starter
Jun 10, 2020 5:55 pm
(@tim40)
Member
Joined: 7 years ago

That's disappointing that we lost this functionality. It definitely worked before the upgrade.

How can I manage the data stored on an individual Member Profile from the Dashboard? The only way I can see is to manage the data on the Account tab. I have certain data that I keep track of for each Member Profile (Usergroups and some other things). But only Admin should have the ability to manage this data.

Is it possible to create a new custom tab that only Admin can see? Will the Who can view? section on the tab work to restrict access to only Admin?

Reply
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share:
Scroll to top