No announcement yet.

How to prevent URL edit of forumid to gain access to private forums?

  • Filter
  • Time
  • Show
Clear All
new posts

  • How to prevent URL edit of forumid to gain access to private forums?

    Who out there is a vBulletin administrator, and has more than 1 private forum established?

    Do me a favour - login as a registered user who has access to some but not all of your private forums. You should now see just the private forums that they have access to. Now click on one of those private forums. You'll notice a 'forumid=xx' in the address window of your Internet browser where 'xx' is the unique number of that private forum.

    Now edit that forumid in the URL to be the id of another private forum that this user is not supposed to have access to (ie. cannot see when they first login). Can you now see the other private forum? Unfortunately, the way I've setup my version (2.03) of vBulletin, my user can now see (and access) the other private forums.

    The only way I have found so far to prevent the above URL hack is to explicity edit the access mask for all registered users (who are not entitled to view this particular private forum) to 'No' as opposed to 'Default'. But this a huge pain, because it means that if I create a new private forum with, say, 2 registered users having access to it, I then have to edit the access masks of ALL my other existing registered users to explicitly set them to 'No' for this new private forum.

    I'm hoping this is a problem with the way I've set up my version of vBulletin, and not a genuine bug.

    Can anyone help/advise? I've been in touch with vBulletin support - they seem to hear what I'm saying, but I carry out their suggestions but to no avail - the URL 'hack' remains.

    I really, really hope that it's just a mental block on my part, and that I'll be able to return to this thread very soon with a big 'Doh!' and an explanation of what I was doing wrong.

  • #2


    • #3


      • #4
        As far as I've been able to figure: This is not a bug, it's the designed behaviour. And, yes, this is not the most useful way to have it. The developers are well aware of this, and have said that there will be a major rewrite of the access system in one of the future releases (don't remember if they said what version it would be)

        The way I solve this..
        1. Set Private forum to No when creating the forum.
        2. Then use User Groups and Permissions - Modify forums to deny access (set everything to No) for:
          - (COPPA) Users Awaiting Moderation
          - Registered
          - Unregistered / Not Logged In
          - Users Awaiting Email Confirmation.
        3. Edit the access mask of the users you want to let into the forum (set them to yes for the corresponding forum).
        Hope this helps

        - Tommy
        MCP / MCSA / MCSE / MCT
        A few eggs short of a complete easter basket

        vB 4.0.5+ CMS (No hacks), Windows Server 2008 R2 Ent, IIS 7.5, PHP 5.3+ (FastCGI), WinCache, Memcached, MySQL 5.1.45


        • #5
          Thanks for that feedback TommyBALL. You're the first person in months (on and off) of trying that has

          a) understood what I'm saying (was I really explaining it that badly, everyone else?)
          b) confirmed (to the best of your knowledge) that there is a 'problem'
          c) offered a constructive solution.

          Sorry if I sound slightly bitter and twisted - it's just that until now I've been going nowhere fast on this issue, and it's been frustrating the hell out of me.

          Before I try your suggestion, another thing to ask...

          How do should I deal with 'categories' (Act as a forum = No) in relation to this issue? Right now I have a single 'category' called 'Private Forums', which (obviously) acts as the parent category for all my private forums. For the sake of simplicity, perhaps I should just remove this category completely before implementing your suggestions? Note that I use my vBulletin just for helping to manage small 'private' project/discussion groups of 2-5 people, and I have no intention in the short term of requiring any public forums to be available.

          Thanks so much for your help.


          • #6
            I have no idea how you caused this problem, i have about 50 out of my 150 forums private.

            I am not able to get my way into any forums im not allowed to, as a registered user.

            It must have been the way you setup your private forum permissions.

            Click 'modify forums' button in the admincp, and set all usergroups to not allowed, except admins i guess, and use access masks to grant access.

            Never had any problems.
            [edit] with your catagory, just for being simple, leave that open to everyone, or if you wish, when you change access masks to yes for their forum,. do it for the catagory too.

            Also, it might be worth checking out my improved access masks hack, in my sig.



            • #7
              Spaceman: If you have all your hidden forums in the same category, will make this even simpler

              Set the access restrictions I mentioned earlier on the category, instead of the forums. The restrictions on the category will be "inherited" down into the forums under it. This is shown by the blue as opposed to the red on the category restrictions.
              Now, you can give access to each user as you see fit

              - Tommy
              MCP / MCSA / MCSE / MCT
              A few eggs short of a complete easter basket

              vB 4.0.5+ CMS (No hacks), Windows Server 2008 R2 Ent, IIS 7.5, PHP 5.3+ (FastCGI), WinCache, Memcached, MySQL 5.1.45


              • #8
                fyi, Wayne (one of the vBulletin developers/support people) is taking a hard look at my implementation of vBulletin right now(ish).

                Early reports are that my vBulletin is not working as it's supposed to... will report back to this forum when I know more.

                Stay tuned.


                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.