Announcement

Collapse
No announcement yet.

Security: Views exposed ...

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
    John
    Senior Member

  • John
    replied
    I have identified this as a bug in the private forum 'setting' for forums. I will put the fix into the next version, but to sort out the problem youself, do this:

    1) Select modify forums under usergroups in the control panel.

    2) Select the edit link next to the private forum under the registered header.

    3) Set all the options here to no

    4) Repeat 2&3 as neccessary for each private forum and several of the user groups. The groups are: registered, unregistered, users awaiting email confirmations and (coppa) users awaiting moderation.

    John

    Leave a comment:

  • kibbles
    New Member

  • kibbles
    replied
    [QUOTE][i]Originally posted by Martin [/i]
    [B]okay, so it's still showing up in searches?

    Does the bug fix take care of the last post in profile problem? [/B][/QUOTE]

    I checked my code and I already had the fix in there (using "latestversion" here) but it's still showing up in the profile. I'll look again.

    To be honest I'm more concerned about the search function since it also lists the forum title in addition to the message title. That makes it kind of hard to have hidden & private forums.

    -G

    Leave a comment:

  • Mike Sullivan
    Former vBulletin Developer

  • Mike Sullivan
    replied
    (argh! Now I'm having cookie problems here...)

    Anyway, I tried that to reproduce the last bug on my forums and couldn't. I searched while logged in and the post correctly showed up. When I wasn't logged in (at all, NOT as another member), the post didn't show up...

    Leave a comment:

  • werehere
    Senior Member

  • werehere
    replied
    You could also remove that from your search template until there is a fix you are sure about:)

    Leave a comment:

  • Martin
    Senior Member

  • Martin
    replied
    okay, so it's still showing up in searches?

    Does the bug fix take care of the last post in profile problem?

    Leave a comment:

  • kibbles
    New Member

  • kibbles
    replied
    Unfortunately that doesn't correct the problem.

    Here's the steps to replicate:

    1. Create private forum.
    2. Post a message in that forum.
    3. Get another user who can't see the forum bring up the profile of the user who can (and posted).
    4. Click "Search for other posts by this user"
    5. Look at list in shock and dismay as it lists the forum name and the post title in the results list when this particular user shouldn't be able to see anything.

    For now I've disabled search on my forum but it's a real PITA.

    -G

    Leave a comment:

  • Martin
    Senior Member

  • Martin
    replied
    Kibbles,
    The fix for this is here:
    [url]http://vbulletin.com/forum/showthread.php?threadid=600[/url]

    It will be corrected in the next release:)

    Leave a comment:

  • kibbles
    New Member

  • kibbles
    started a topic Security: Views exposed ...

    Security: Views exposed ...

    Just as a heads up I've found a weird bug. If oyu have a private forum everything is fine. However, if a user clicks on your profile on a post in a public forum and your last post was in the private forum it lists the name of the private forum!

    Personally, I don't want people outside of the private forums to even know they exist. :(

    -G
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X