September 13, 2015 at 7:32 pm #284
This thread is where you list bugs. Be as specific as you can about what went wrong, what you were trying to do, what time of day and what time zone you are in. I will fix them as soon as I can. Thanks.September 13, 2015 at 9:49 pm #298
Hey guys. There are some persistent gremlins I am chasing around. Thanks for helping test this.
So I have put the site in debug mode, where errors will show up on the page. If you could make note and report the page the error showed up on, the complete error code, and what you were doing when it happened, it can help me suss it out. Thanks again!November 5, 2016 at 12:29 am #592
out of debug mode, and almost where we need to be with speed and stability. Please keep bug reports coming. ThanksNovember 10, 2016 at 2:29 pm #649
Activity stream is spammed when editing a post AGAIN. Old fix no longer works. Will investigate, but it will possibly persist for a couple weeks if the solution isn’t fairly easy.November 12, 2016 at 1:39 am #667
Current Bug (possibly not resolvable)
Posts in private group forums do not show up on activity streams of those logged in users who are a member of the group.November 12, 2016 at 2:28 am #670
OK, the previous bug is a bigger deal than I realized. Be very careful about the first few words in a post in a feed in a private group. There seems to be a bug in privacy as it relates to private group feeds and the activity feed of even non logged in visitors.
I made a post tonight, in a private group feed. That post is partially available in the global activity feed of a logged out user. This permission issue is a MAJOR concern of mine, so please be wary of information posted to private group feeds at this time. I will be working on a fix. If no fix is available, I guess I will disable private group feeds. I can’t promise something that I cannot deliver.
If you need anything censored or removed that is visible that you thought was private, contact me immediately and let me know.
I sincerely want to make sure that everyone has the level of security that I promise and that you expect, which is, by admission, while ambitious, is somewhat minimal. I take every precaution and more to protect your privacy and your shit.
In our world and current reality, look at who has been hacked.
I can do my best, but I don’t have 10% of the expertise that those that have already been hacked have. Be smart and don’t use this venue if something is life or death TRULY private. I will do my best, but be aware of my limitations.
That being said, I am pretty sure we can reach a decent understanding of privacy on this forum. I am watching your back and hope and expect that you are watching ours as well and will report any vulnerability, exploit, privacy violation, or weakness that you find in the interest of the community.
I pledge to fix it or remove the code that is responsible for the violation, even if it means loss of functionality.
I was investigating the issue contained in my last post when i discovered this new issue, and I had to share it with you.
Oddly, the issues that led me to this discovery were the exact opposite. I was logged in and didn’t see something that I expected to see. I logged out & I saw something I shouldn’t be seeing.
That being said, there is a way to minimize the issue on the short term. Post song lyrics or something before your actual post in a private group feed, The excerpt will only show the first few lines of a post (I think).
I have tested the links in the excerpt on the activity feed from a logged out account, and it was 404’s consistently.
I am using 3 different types of cache (which I did clear & test before posting this), so it may be my doing that did this. I need to test this on the sandbox server, but due to certain factors, that is a very involved process that I won’t have the time or focus to dedicate to for a week or 2.
I am also using a large variety of anti spam and anti bot measures, traps, and honeypots, as well as firewalls and security solutions. This is an involved process that will require significant attention to figure out the cause and mitigate it. In other words, it might take awhile, and I apologize.
This is why we are still in beta (open beta, but STILL, beta). I apologize for the risk. I will either fix it or remove the option for a private group feeds. There really isn’t a long term in-between decision, in my opinion (please let me know if you disagree, please).
The attached image shows a post I made in a private group feed, appearing to a logged out user in private browsing mode. The links don’t function, but the excerpt (and post) should have been 100% private.
This seems to be a complicated bug, but one that MUST be resolved. It is possible my caching solutions, or my theme, or our security, might be responsible.
It is also possible I may not be able to resolve this bug, and if that is the case, I may have to remove some functionality from the site to do so and maintain privacy.
The long story short, is that this will possibly delay the launch and keep us in open beta for a bit longer. Privacy issues and permissions are something that I take very seriously, so I want to either sort the issue out, or eliminate the “features” than violate trust in any way.
Thank you all for the help in testing this. Anything you do, any post you make, any comment on anyone else’s post, any private message or email or group, or anything that you do is critical right now. If something doesn’t work as expected, post here immediately.
Thank YouNovember 13, 2016 at 2:05 am #682
further testing has shown that the activity update of private groups is broken and and comments and activity posts are broken, in terms of privacy.
This actually seems minimal, as private group forums are still 100% private. There are very specific, esoteric, places in the functions where privacy checks seem to be ignored. Thankfully, only 1 has been found that relates to private groups.
It can be isolated. We still are in beta (open beta, but still beta), so either will will fix it or remove certain functionality
i just heard the phrase “it is easier to add functionality than to remove it.”
if you think in technical terms (which i might have done many years ago), that seems the opposite of my experience; integrating new technology into old is difficult.
but that phrase isnt’t about tech, its about social reaction to losing functionality.
I am loathe to remove awesome functionality, but if it can’t be reasonably secured, I can’t, in good conscience, deploy it, at least without full disclosure to certain bugs.
stay tuned. working on it. solutions aren’t easy so far.
- You must be logged in to reply to this topic.