Private groups leaking via RSS

Sorry Robin, we’re deep in the bowels of our product beta test (and so fixing code) so I haven’t had time to revisit this. I don’t know about browser tabs but I discovered this problem when the private forum showed up in my RSS News Reader so SOMETHING was clearly making it appear. I’m unaware that we’ve done anything on our website unusual regarding forums, etc so other than replacing the default widgets with your ones, I haven’t changed anything else.

thanks – I’m adding some code that will give an extra stop to a single topic, but this is not is your issue as you saw it in a feed, not by typing in a url with the that exact topic title in it, which would be an amazing guess by a user.

I think my assumptions above are a good

either you have something that is adding topics to the raw wordpress feed (which only sends posts) and I clearly can’t control someone else’s code that directly accesses the database
or
The fact that you saw it in your rss may mean that it was sent by bbpress, but you saw it because you had permission by being logged in.

I’ll mark this topic as resolved once I have done this, but please come back if you are able to help with some testing. As I say without being able to see the issue, I can’t work out an issue.

My RSS Feed doesn’t log in (good thought though), it just uses the standard XML link as described earlier.

But yes, as soon as I come out of the current black hole, I will be happy to check it again and I certainly appreciate your efforts.

——
The fact that you saw it in your rss may mean that it was sent by bbpress, but you saw it because you had permission by being logged in.

My RSS Feed doesn’t log in (good thought though)

it does ! you just don’t know it.

anyway come back when you can and I’ll explain further.

I don’t see how it could — I never gave it my WordPress credentials.

cookies !!

In essence when the rss feed reaches out to your website wordpress/bbpress will pick up any cookies that you use to get the site to remember you, and issue content dependant on that.

If you have the time I can show you how that works, but probably better to do it when you have time.

Robin, I think we’re talking at cross purposes. I’m not using a browser (that might already have some cookies in it) to do RSS.

I’m using standalone RSS applications on devices like my iPad which do not have my WordPress credentials.

Other people who have no credentials were also able to see the private feed using their RSS apps. Those users would not have ANY credentials to log in to the wordpress site in question.

Again, right now, I have it all blocked — I’ll get in touch with you in a few months when we’re done with the beta program and I’ll take another look at this.

ok thanks

marking as resolved for the moment, but will re-open as soon as dhjdhj comes back