[2.1] Global content notification setting is ignored/overriden by user setting

Started by m4z, September 06, 2019, 11:48:51 AM

Previous topic - Next topic

m4z

In my 2.1rc2 forum, I selected Admin → Configuration → Features & Options → General → Don't allow post text in notifications, assuming this means users won't receive message contents in notifications mails by default, and won't be able to change this, howevery they set their preferences[0].
However, if users select [profile dropdown] → Notifications → Receive message body in e-mails, the global setting is apparently ignored and users receive post contents without problems (contrary to what the admin believes is happening). This applies both to admin and unpriviledged users.

I haven't tested if the global notification default plays a role in this (my forum default for Admin → Configuration → Features & Options → Notifications → Receive message body in e-mails is unchecked/off) or whether if a user is using the defaults does; in my tests, the accounts had explicitly set a non-forum-default preference.

I highly doubt this is intented behavior, and it surely is a privacy issue if you assume your content to be protected behind HTTPS...


[0]: The option text doesn't mention mail, but the help text clearly suggests this:
Quote
This setting removes the option to receive the text of replies, posts, and personal messages in notification emails.

Often, members will reply to the notification email, which in most cases means the webmaster receives the reply.
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!

Kindred

it removes the option...
if the user has already SET the personal option/setting - changing the setting that you mention will not change the user's setting -- as a matter of fact, it will remove the option from the user's profile settings and the user will never be able to unset that option.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

m4z

Quote from: Kindred on September 06, 2019, 01:09:29 PM
it removes the option...

It doesn't in any of my 3 SMF2.1rc2 installations, neither for admins nor unpriviledged users, and independent of whether the user had set the option or not.
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!

m4z

Quote from: m4z on September 06, 2019, 01:26:18 PM
Quote from: Kindred on September 06, 2019, 01:09:29 PM
it removes the option...

It doesn't in any of my 3 SMF2.1rc2 installations, neither for admins nor unpriviledged users, and independent of whether the user had set the option or not.

So I've re-installed my "alpha" playground forum using the current Github ("release-2.1" branch) HEAD (6ba1e53c0b65edb202fa17b9dc0088f610fdbfd8, 2019-09-01) and the problem persists.

For comparison, when I un-check "Allow users to disable announcements", that option disappears even for my admin user.
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!

m4z

Same in the current nightly (last_commit_dff7140):
QuoteVersion Information:
Forum version: SMF 2.1 RC2
Current SMF version: SMF 2.1 RC2
GD version: 2.1.1-dev
PostgreSQL engine: PostgreSQL
PostgreSQL version: 9.4.22
PHP: 5.6.40-0+deb8u4
Server version: lighttpd
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!

m4z

Quote from: Kindred on September 06, 2019, 01:09:29 PM
it removes the option...

It would be helpful if you could add context to such a statement. Is this an assumption or did you actually confirm it? Was it this way in 2.0 and you assume it to be the same in 2.1?
Especially given your (post count and SMF position) street cred, I assumed your statement to be based on facts, and that I was encountering a (maybe postgres-related) bug. Now that I've read the code, I'm relatively sure what you state above is just plain incorrect.

Hacky, incomplete fix to just hide the option from users:

--- Themes/default/Profile.template.php.orig    2019-09-27 12:38:12.969408820 +0000
+++ Themes/default/Profile.template.php 2019-10-06 12:31:13.104214288 +0000
@@ -1917,6 +1917,10 @@
                {
                        foreach ($context['alert_group_options'][$alert_group] as $opts)
                        {
+                               // skip user option if sending message body is disabled globally
+                               if ($opts[1] == 'msg_receive_body')
+                                       if ($modSettings['disallow_sendBody']) { continue; }
+
                                echo '
                                <tr class="windowbg">
                                        <td colspan="3">'


It doesn't address users already having set this option yet (when I've achieved that, I'll write up a PR), which you mentioned before:

Quote from: Kindred on September 06, 2019, 01:09:29 PM
if the user has already SET the personal option/setting - changing the setting that you mention will not change the user's setting -- as a matter of fact, it will remove the option from the user's profile settings and the user will never be able to unset that option.


Thanks for doing SMF!  :-*
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!

Arantor

Huh, why is it even a thing that the users can override the admin setting on this subject? Certainly wasn't the intent when I introduced the notifications setup in 2.1.

m4z

It's just a plain old bug, I assume.

As mentioned above, when I globally disable the (somewhat similar) option to turn off announcements (newsletters?), that user option is hidden.
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!

shawnb61

There are multiple issues with these settings:
https://github.com/SimpleMachines/SMF2.1/issues/5607
https://github.com/SimpleMachines/SMF2.1/issues/5011

So yes, I think it's an issue in the current version of 2.1.  And it will also get a bit of an overhaul when the GDPR changes are folded in as well, since those settings are directly impacted.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

shawnb61

Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

shawnb61

Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Advertisement: