No announcement yet.

How to change default access to 'No' for Registered Users to Private Forums?

  • Filter
  • Time
  • Show
Clear All
new posts

  • How to change default access to 'No' for Registered Users to Private Forums?

    Most of my question is right there in the title.

    My problem is that, when I add a new private forum, my existing registered users cannot 'see' the new private forum that I've just created. BUT it turns out that they can simply edit the forumid part of the URL to gain full access to it. Not good.

    The 'solution' I have right now to this potential security risk to my private forums is that I have to explicitly visit the permissions for each and every registered user and set the flag to 'No' for the new forum, as opposed to 'Default'. Access masks are turned on, because I need to be able to indicate which individual users have access to which private forums.

    So the 'correct' solution is either that individual permissions for access to a new private forum need to default to 'No' on creation of the new forum, OR the 'default' setting needs to be set 'No' (if that makes sense). Either way, I don't know how to achieve this result.

    Can anyone advise?

  • #2
    CP -> User Groups & Permissions -> Modify Forums -> Your Forum -> Registered -> Can not access


    • #3
      Hi James, and thanks for your suggestion. Unfortunately it hasn't fixed my problem.

      I've clicked on 'edit' next to the 'registered' user group for my new private forum, and the next page I am presented with gives me the option to either 'use usergroup default', or to 'use custom settings'. I've opted to go with custom settings, and selected 'No' to every single option.

      But my problem remains - existing registered users cannot 'see' the new private forum, but it's possible for them to edit the forumid in the URL and get complete access to the new private forum. Only by editing permissions for each user explicity to 'No' for the new private forum can I prevent this sort of URL 'hack'.

      Perhaps I have an incorrect setting somewhere else that is screwing things up?
      Perhaps I've discovered a potential security hole for private forums?

      Hoping someone can advise...


      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.