No announcement yet.

Please help

  • Filter
  • Time
  • Show
Clear All
new posts

  • Please help

    Recently we have been shifting our forum orders about because we have seen people browsing the private ones. The latest step in this was to create a few new user groups, and edit the access permissions for the others.

    But still there's problems. The strangest of these is people showing up in the Who's Online viewing a private forum that has been locked and set to NOT active. When admin log in they cant even see these particular forums due to their being not active, so how is it that a regular registered member can show up as viewing said forum?

    I havent as yet managed to establish whether or not the members in question have been able to view the content of threads in the forum, but the fact that they can see it anywhere has me completly at a loss. I'm one of the 2 admin on the site, and the only place i can view this particular forum is when its listed in the user cp!

    Urgent help please on this one, as we're now afraid to even post in our admin/mods forum for fear of an unauthorised member viewing the content.

  • #2
    The current breakdown for that particular forum is as follows;

    Private Forum - yes
    Act as forum - yes
    Is active - no
    Open for new posts - no

    Its a new forum that was only created 2 nights ago, under a parent forum that was also just created, and the forum id's are not the same as any other forums that existed before.


    • #3
      the user locations on the online.php page aren't a good way to see if permissions are working. if a user doesn't have permission to view a thread but clicks a link somewhere that goes to that thread then they will be given a standard "no permission" page while the online list says they are viewing that thread. online.php does not account for permissions when showing the location of users.

      the best way to test your permissions is to create a test user. set the usergroup of the test user and try to access private forums while logged in as that user.


      • #4
        Jakeman i understand what you're saying. I've seen that before while testing the usergroups with a dummy account and have got the cannot view page.

        But this problem is a little more complex than what you mentioned. We (myself and my partner) created a new Parent Forum on Monday night, which was set to invisible and not active. Within this parent we created 3 child forums which needed specific access to be allowed for them to be viewed. The 3rd of these child forums was one that was to only be able to be seen, accessed and posted in by myself and my partner. Some threads that we needed to keep would be moved there, and apart from that all content there would not be linked to any other forum on the site.

        It was set as a private child forum under a private parent title, so no regular member should have ever known of its existance (we even went to the trouble of closing the board while we created these and edited the permissions). And this is the very forum that people are showing up as viewing. I've tried to see it as a member of all user groups, and even in my own admin account i cant view it. The only way i can view it is by accessing it through my subscribed threads link.

        I've checked the one thread that was moved there from another forum, and the user who has been seen viewing the forum has not posted on it - so he shouldnt even have a subscribed thread link to it.

        Any other suggestions as to how he might have browsed across it?


        • #5
          Originally posted by GTI-R Kid

          It was set as a private child forum under a private parent title, so no regular member should have ever known of its existance (we even went to the trouble of closing the board while we created these and edited the permissions).
          People can try to click on threads in these forums because the title of threads being viewed by staff will show up in Who's Online. This is because private child forums do NOT inherit the security permissions of their parent forums. This is a bug with vB 2.2.x - you need to manually set each child forum with the forum permissions for each usergroup - never rely on parental permission for private forums.
          Avatar Chat


          • #6
            What you mention Erwin, has already been implemented on our site. We spent days browsing these forums so that when we did set up our forums we'd do it correctly. Who's Online has been de-activated for weeks now with only the 2 admin now having the use of it. The link was removed.

            We did set all the forum permissions individually, both parent and child, for all user groups, and it is only the one forum of the 3 child forums that people have been seen viewing. This is what has me so puzzled.

            If someone is not given the correct permissions, they get the unauthorised to view page. Thats been stated throughout these forums here. Since the who's online feature has been disabled and they cant click a link from there, and permissions have been set so that they cannot view the parent forum or any of the child forums, how have they even access to the link?