Activity Streams Not Respecting Group Permissions?

[HW1213]

That will teach me not to refresh my own site while I am busy writing a post.  Another admin figured out it's the "users can see topics posted by other users" permission setting for individual forums.  That's not especially intuitive since typically of course we want users to see topics posted by other users.   Unchecking that setting seems to fix the loophole, though.  We'll keep fiddling and checking all our supposed-to-be-private areas, and hopefully that's the last of the loopholes of the group privacy settings.

 

Earlier this month, we converted our forum from SMF to IPB, so the IPB software is still a little new to us.  An issue that we are having is that activity streams apparently do not respect group permissions.  That is, members can see certain items in the activity stream and click on them to get into topics in areas they shouldn't have access to.  More experienced IPB admins, is there some setting we are overlooking?  If so, where exactly can we find it/what exactly is it called?

So far this has occurred only with activities related to following.  See the attached screenshots.  The first one shows someone being able to see that an admin started following a topic in what is supposed to be an admin-only area.  The second one shows that she could click into the topic and read it--although she cannot see that forum from the main page.  I have checked her group permissions, and she does not have any permissions for the admin forum.  However, she is a global moderator.    I don't know if we can remove the option to follow topics (since then "so-and-so started following a topic" would not appear in any activity streams), but we'd rather not as it's a useful feature.

We previously removed the notification option for "someone I'm following makes a post" because it was generating notifications for content that users (with no mod permissions at all) had no permission to see, and they could click into it as described above.

There are a few areas on our forum that are supposed to be private to different groups of users, and it is important during events that they can't see into each other's areas through this activity stream loophole.

Any ideas? 

 

 

[Colonel_mortis]

If a group doesn't have permission to view a forum, those posts shouldn't show in the activity feed, regardless of the status of the "Users can view topics created by other users" setting, and users shouldn't be able to access the topic when clicking a link to it regardless of how they acquired the link. If that's not the case on your site, you should definitely submit a ticket.

[HW1213]

The posts themselves don't show.  It's the "[some member] followed [some topic]" that shows in the activity stream...and then all other members can click on the [some topic] link and read it regardless of whether they have permission to access that forum or not.  It turns out the "fix" we found yesterday works for the staff area if we make all mods global mods with permission to see all content, but that obviously can't work for the other areas that are supposed to be private to different groups because we can't make all members global moderators.

I am definitely going to submit a ticket because this privacy loophole is a real problem.

[Cyboman]

Any news on this? Was it a configuration issue?