Notifications
Clear all

Paid Addons Support Forum Only

Please note, that here we only support Paid Addons issues and questions.

gVectors Support staff works from 6am to 6pm (GMT+0)

All questions related to wpForo and wpDiscuz free plugins should be asked in the corresponding plugin support forum:

 

wpDiscuz Support Forum   wpForo Support Forum

User Group and User Groups Secondary  

Page 1 / 2

Tim Rodman
Posts: 23
Customer
(@tim40)
Member
Joined: 3 years ago

I just upgraded to wpForo 1.7.7 and wpForo - User Custom Fields 2.0.1

I'm having a MAJOR issue with the User Group and User Groups Secondary fields. There fields are on the Account tab and they were only available to the admin usergroup previously. But now the User Group field isn't available to anyone (including admin) and the User Groups Secondary field is available to everyone.

Luckily a user pointed out the User Groups Secondary field to me. The fact that it's available to everyone is a major security breach since I have some private forums that only certain people should have access to. Currently they are able to give themselves access.

I have temporarily removed the User Group and User Groups Secondary fields from the Account tab until I can figure out how to make them both visible to admin and admin only.

11 Replies
1 Reply
Tom
 Tom
Admin
(@tomson)
Joined: 5 years ago

Support Team
Posts: 3220

Navigate to Members Fields > Field Manager Tab, edit the Secondary Usergroup and manage access to that field. Then navigate Tab Manager > Account Tab and add it back.

Reply
Tom
Posts: 3220
 Tom
Admin
(@tomson)
Support Team
Joined: 5 years ago

Hi @tim40,

Please add the Secondary Usergroup back and manage the permissions. When you edit the Secondary usergroup you'll see new options to manage access.

Reply
Tim Rodman
Posts: 23
Customer
(@tim40)
Member
Joined: 3 years ago

I tried that with the User Groups Secondary field, but it didn't seem to do anything. Two problems:

Even if I only give access to the 0 Deactivated Usergroup (see screenshot below), a user who is not in that Usergroup can still see the field on their Account tab when I add the field to the Account tab.

Actually, I would prefer to uncheck everything in the Who can see? section so only the Admin Usergroup would have access, but when I do that and go back in, everything is checked.

image
Reply
Tim Rodman
Posts: 23
Customer
(@tim40)
Member
Joined: 3 years ago

Looks like this is a problem with regular Text Custom Fields as well. I just used the Duplicate field option to copy an existing custom field called Old Username to a new custom field called Special Instructions.

Now all of a sudden the Old Username field is visible to everyone where previously it was only visible to Admin.

Same problem as my User Groups Secondary field in that I can't uncheck everything in the Who can view? section to only give access to Admin because it re-checks everything the next time I go in.

So, I tried only giving access to the 0 Deactivated Usergroup like this:

image

Then I login as someone who does not have access to the 0 Deactivated Usergroup and they can still see my custom field:

image

Bottom line, I don't think security is working on custom fields anymore. Bug?

Reply
1 Reply
Astghik
Admin
(@astghik)
Joined: 3 years ago

Support Team
Posts: 4210

@tim40,

The who can view option is designed to make it hidden or visible on the profile tabs. It doesn't have any relation to the account tab.

The solution: if you want to hide it, you just need to remove the field. Then as an admin manage it from the dashboard.

Reply
Tim Rodman
Posts: 23
Customer
(@tim40)
Member
Joined: 3 years ago

That's disappointing that we lost this functionality. It definitely worked before the upgrade.

How can I manage the data stored on an individual Member Profile from the Dashboard? The only way I can see is to manage the data on the Account tab. I have certain data that I keep track of for each Member Profile (Usergroups and some other things). But only Admin should have the ability to manage this data.

Is it possible to create a new custom tab that only Admin can see? Will the Who can view? section on the tab work to restrict access to only Admin?

Reply
Page 1 / 2
Share: