×
Kunena 5.1.5 Released - Security Release (14 Oct 2018)

The Kunena team has announce the arrival of Kunena 5.1.5 [K 5.1.5] which is now available for download as a native Joomla extension for J! 3.8.x. This version addresses most of the issues that were discovered in K 5.1 and issues discovered during the development stages of K 5.1. This is a Security release.

Question How do you hide Forum Statistics and User List from registered users? Revisited

More
3 years 2 months ago #1 by TC
Hi,
I'm configuring 4.0.3 on Joomla 3.4.3.
It's required that registered users should NOT be able to see other users for the external (public viewable) forum. ( All new topics are Anon and only internal ( Editors and higher) may reply.)

Whilst the Forum Statistics and User List have been disabled, registered users can still harvest a userlist by entering a Search, progressing to Advanced Search and using the data-provide typeahead dropdown on the User Name data entry field.

The client's requirements are such that hiding the information with CSS is not adequate. Suitable options are:
1) Disable Advanced Search
2) Disable Search by User
3) Disable data-provide typeahead.

Disabling (simple) Search is NOT an option.

Does anyone know how this can be achieved short of a core Kunena hack please?

Please Log in or Create an account to join the conversation.

  • sozzled
  • Visitor
3 years 2 months ago - 3 years 2 months ago #2 by sozzled

TC wrote: Whilst the Forum Statistics and User List have been disabled ... [or] hiding the information with CSS ...

It is true that, from K 3.0.8 , it is not possible for people to access the userlist or attempt to directly go to the URL that generates the userlist (without logging in first) using the forum configuration setting

Kunena Forum: Configuration » Security » Security Settings » Allow Guests to see Userlist = No

It may not be possible to prevent access to the forum statistics page (to restrict access to it to a particular class of user) because there is only one configuration setting, viz.

Kunena Forum: Configuration » Users » User Related » Show User Statistics = Yes | No

Either the statistics page is shown for everyone or for no-one.

TC wrote: registered users can still harvest a userlist by entering a Search, progressing to Advanced Search and using the data-provide typeahead dropdown on the User Name data entry field.

Yes, this is certainly the case. It is also true that the setting

Kunena Forum: Configuration » Security » Security Settings » Allow Guests to see User Profiles = No

prevents people from looking at user profiles by clicking on a username (even if they "discovered" the name(s) with the Search feature).

To restrict this kind of access so that only Editors (and above) are the only ones who can use the Search feature is a bit more complicated that a "simple" hack to the Kunena core. Anyway, if you hack the core, you will have to reapply those changes whenever you upgrade Kunena (so this is not really a good idea).

It's possible to insert changes throughout the Kunena template (i.e. write your own template) to add extra "custom" security over and above what Kunena already provides, but this is a fair bit of work.

The other so-called "suitable" options are not really very attractive or easily attainable short of, again, revisiting the few thousand lines in the Kunena template and adding extra lines of PHP.

If I was in your position, I would discuss this "requirement" with your client and point out that while anything is possible, everything comes at a cost. If the client insisted that this was a mandatory, non-negotiable requirement, my estimate of the time it would take to write a customise Kunena template that included these added security features would take about 3-4 days to complete. At a typically normal rate of between $50-75 per hour, that's an added $1200-2400 to the total development cost. It's not really a question of whether it's possible: it boils down to a question of whether the client is prepared to pay the additional costs and added delay.
Last edit: 3 years 2 months ago by sozzled.

Please Log in or Create an account to join the conversation.

More
3 years 1 month ago #3 by TC
Thanks for your prompt response.

Clearly Kunena is not for anyone running a website where just being a member may be viewed as sensitive information.

We've decided to use Chrono Forums instead which requires a few tweaks to give anonymous posting but doesn't fundamentally break Joomla's security.

Please Log in or Create an account to join the conversation.

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to add attachements.
  • Not Allowed: to edit your message.
Time to create page: 0.101 seconds