No announcement yet.

Security: Views exposed ...

  • Filter
  • Time
  • Show
Clear All
new posts

  • Security: Views exposed ...

    Just as a heads up I've found a weird bug. If oyu have a private forum everything is fine. However, if a user clicks on your profile on a post in a public forum and your last post was in the private forum it lists the name of the private forum!

    Personally, I don't want people outside of the private forums to even know they exist. :(


  • #2
    The fix for this is here:

    It will be corrected in the next release:)


    • #3
      Unfortunately that doesn't correct the problem.

      Here's the steps to replicate:

      1. Create private forum.
      2. Post a message in that forum.
      3. Get another user who can't see the forum bring up the profile of the user who can (and posted).
      4. Click "Search for other posts by this user"
      5. Look at list in shock and dismay as it lists the forum name and the post title in the results list when this particular user shouldn't be able to see anything.

      For now I've disabled search on my forum but it's a real PITA.



      • #4
        okay, so it's still showing up in searches?

        Does the bug fix take care of the last post in profile problem?


        • #5
          You could also remove that from your search template until there is a fix you are sure about:)
          We're Here Forums!
          [email protected]


          • #6
            (argh! Now I'm having cookie problems here...)

            Anyway, I tried that to reproduce the last bug on my forums and couldn't. I searched while logged in and the post correctly showed up. When I wasn't logged in (at all, NOT as another member), the post didn't show up...


            • #7
              [QUOTE][i]Originally posted by Martin [/i]
              [B]okay, so it's still showing up in searches?

              Does the bug fix take care of the last post in profile problem? [/B][/QUOTE]

              I checked my code and I already had the fix in there (using "latestversion" here) but it's still showing up in the profile. I'll look again.

              To be honest I'm more concerned about the search function since it also lists the forum title in addition to the message title. That makes it kind of hard to have hidden & private forums.



              • #8
                I have identified this as a bug in the private forum 'setting' for forums. I will put the fix into the next version, but to sort out the problem youself, do this:

                1) Select modify forums under usergroups in the control panel.

                2) Select the edit link next to the private forum under the registered header.

                3) Set all the options here to no

                4) Repeat 2&3 as neccessary for each private forum and several of the user groups. The groups are: registered, unregistered, users awaiting email confirmations and (coppa) users awaiting moderation.

                John Percival

                Artificial intelligence usually beats real stupidity ;)


                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.