Who out there is a vBulletin administrator, and has more than 1 private forum established?
Do me a favour - login as a registered user who has access to some but not all of your private forums. You should now see just the private forums that they have access to. Now click on one of those private forums. You'll notice a 'forumid=xx' in the address window of your Internet browser where 'xx' is the unique number of that private forum.
Now edit that forumid in the URL to be the id of another private forum that this user is not supposed to have access to (ie. cannot see when they first login). Can you now see the other private forum? Unfortunately, the way I've setup my version (2.03) of vBulletin, my user can now see (and access) the other private forums.
The only way I have found so far to prevent the above URL hack is to explicity edit the access mask for all registered users (who are not entitled to view this particular private forum) to 'No' as opposed to 'Default'. But this a huge pain, because it means that if I create a new private forum with, say, 2 registered users having access to it, I then have to edit the access masks of ALL my other existing registered users to explicitly set them to 'No' for this new private forum.
I'm hoping this is a problem with the way I've set up my version of vBulletin, and not a genuine bug.
Can anyone help/advise? I've been in touch with vBulletin support - they seem to hear what I'm saying, but I carry out their suggestions but to no avail - the URL 'hack' remains.
I really, really hope that it's just a mental block on my part, and that I'll be able to return to this thread very soon with a big 'Doh!' and an explanation of what I was doing wrong.
Do me a favour - login as a registered user who has access to some but not all of your private forums. You should now see just the private forums that they have access to. Now click on one of those private forums. You'll notice a 'forumid=xx' in the address window of your Internet browser where 'xx' is the unique number of that private forum.
Now edit that forumid in the URL to be the id of another private forum that this user is not supposed to have access to (ie. cannot see when they first login). Can you now see the other private forum? Unfortunately, the way I've setup my version (2.03) of vBulletin, my user can now see (and access) the other private forums.
The only way I have found so far to prevent the above URL hack is to explicity edit the access mask for all registered users (who are not entitled to view this particular private forum) to 'No' as opposed to 'Default'. But this a huge pain, because it means that if I create a new private forum with, say, 2 registered users having access to it, I then have to edit the access masks of ALL my other existing registered users to explicitly set them to 'No' for this new private forum.
I'm hoping this is a problem with the way I've set up my version of vBulletin, and not a genuine bug.
Can anyone help/advise? I've been in touch with vBulletin support - they seem to hear what I'm saying, but I carry out their suggestions but to no avail - the URL 'hack' remains.
I really, really hope that it's just a mental block on my part, and that I'll be able to return to this thread very soon with a big 'Doh!' and an explanation of what I was doing wrong.
Comment