Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

Ready to contribute?

Amazing! Sign our contributors' agreement and then join us on GitHub.

Update for critical security issue in PHPMailer included in release Vanilla 2.3.1
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.


This discussion is related to the Notifi addon.


  • Interesting, I've never done that before (removed categories). I'll check it out.
  • Sorry for the double post. I was having trouble with this "Text-only mode".
  • SubJunk, can you let me know if there will be any way to have the email From: and Subject: fields more specifically describe the content itself? We have a number of mailing-list holdouts who would like that kind of detail in the notification emails.

    Also, any ETA (even a general ballpark date) on version 2.0?

  • Hi jmcnally, yes that feature will be offered with version 2.0. Obviously it is not something everyone will want so there will be a toggle in the admin settings.
    And an ETA is a week, that is a rough estimate.
  • RaizeRaize vancouver ✭✭
    I can't wait, really looking forward to this add on
  • SubJunk, thanks! Can't wait to try it out. Appreciate all of your work on this!
  • Yup - looking forward to it. TY SubJunk.
  • I have found a huge bug with this addon, a possible security threat.
  • Can you be more specific? What do you mean by "modify the query string"? Which query string? Are you talking about a SQL injection?
    From what I can see what you have said doesn't show any security threats other than showing your server directory structure, which could let a hacker find a security threat by knowing where to look, but no security hole in Notifi.
    If you want to stop the directory structure from being visible if people are poking around you can turn off that error reporting on your server, servers should really have that turned off in the first place.
  • Dookie -

    If the issue is as bad as you say, the sensible thing would have been to PRIVATE MESSAGE SubJunk, so he could add the security fix into the next issue. Now this is publicly known, you are opening everyone using this extension up to abuse...
  • Sorry about that, I will PM SubJunk and edit my existing comment

    P.S. How do I send a private message? :D
  • Just type my name into the "Whisper your comments to" field, just above where you type your comment :)
  • We sorted it out. It wasn't a security hole as far as I can tell, but it just let non-users on a public forum see the Notification interface for accounts that don't exist, but interaction with the database does not occur. Anyway I've fixed it for the 2.0 release but there is still no rush with that because the current release 1.8.2 is still stable.
    Thanks dookie for mentioning it, it is great to know that there are people who will tell me if they find bugs, and spode thanks for pointing it out about the PM, that is the right way to report security bugs.
  • Subjunk, question ... is there a way for the link to the discussion in the email to authenticate the user before it attempts to visit the subscribed thread? If the user is already logged in this works fine of course, but if user is not logged in (which is often the case I'm finding out) the page they go to when clicking the email link says "discussion not found," with no further details. To most users this looks like a fatal error message.

    Would be great if that issue were addressed, making an already fantastic extension that much better. Thanks for all your hard work.
  • I don't know why it gives that error for you. I just tried it and it takes me to the login screen and then when I log in I am at the correct page.
  • Weird. When a user is not logged in on mine, it takes them to a page which says "Some problems were encountered. The requested discussion could not be found." Any clues as to what might be happening?
  • Are you using Notifi 1.8.2 and Vanilla 1.1.5a?
    Well there is a way you could modify Notifi in order to make it work in that case but it won't work for users who are logged in. It's not an elegant solution but if you have more users who don't stay logged in than those who do it may be a better option until I or someone else can figure out why this is happening for you.

    Open extensions/Notifi/default.php and change lines 352 to 373 to this:
    <a href="'.$DiscussionForm->Context->Configuration['BASE_URL'].'people.php?PageAction=SignOutNow&ReturnUrl='.$DiscussionForm->Context->Configuration['BASE_URL'].'comments.php?DiscussionID='.$DiscussionID.'&page='.$pageNumber.'#Item_'.$commentNo.'">Click here to view the comment on the forum</a> or copy and paste the following link into your web browser:<br /> '.$DiscussionForm->Context->Configuration['BASE_URL'].'people.php?PageAction=SignOutNow&ReturnUrl='.$DiscussionForm->Context->Configuration['BASE_URL'].'comments.php?DiscussionID='.$DiscussionID.'&page='.$pageNumber.'#Item_'.$commentNo.'<br /><br /> Kind regards,<br /> '.$DiscussionForm->Context->Configuration['SUPPORT_NAME'].' </body> </html>'; } // If this is a new discussion else { $message = ' <html> <body style="background-color:#fff;"> Hello '.$mName.',<br /><br /> A new discussion called <strong>'.$discussionName.'</strong> was started, the comment is as follows. <div style="margin: 20px 0; padding: 10px; background-color: #fef9e9; border: 1px #ffedae solid;"> <p style="padding: 5px; margin: 0 0 5px 0; background-color: #fff; border: 1px #ccc solid;"> Post by: <strong>'.$mPosterName.'</strong> </p> '.$mComment.'<br /> </div> <a href="'.$DiscussionForm->Context->Configuration['BASE_URL'].'people.php?PageAction=SignOutNow&ReturnUrl='.$DiscussionForm->Context->Configuration['BASE_URL'].'comments.php?DiscussionID='.$DiscussionID.'&page='.$pageNumber.'#Item_'.$commentNo.'">Click here to view the new discussion on the forum</a> or copy and paste the following link into your web browser:<br /> '.$DiscussionForm->Context->Configuration['BASE_URL'].'people.php?PageAction=SignOutNow&ReturnUrl='.$DiscussionForm->Context->Configuration['BASE_URL'].'comments.php?DiscussionID='.$DiscussionID.'&page='.$pageNumber.'#Item_'.$commentNo.'<br /><br />
  • Yes, I'm using Vanilla 1.1.5a and Notifi 1.8.2. Hmm, I'm not sure that solution would work either, then I may have the opposite problem at some point. I may give it a whirl anyway ... but I'd rather try and figure out if there is some reason my setup is throwing error messages up when unauthenticated users click on the email links.

    Anybody else having this problem? A possible extension conflict perhaps?

    Anyway, Subjunk thanks for your help and looking into this -- appreciated!

    ps :: if this helps, these are the extensions I'm currently running:

    AddMember 1.0
    Applicant Email Verification 0.4.2.b
    Attachments 2.1
    Category Jumper 1.0
    DefaultPage 1.1.0
    Extended Application Form 1.0
    Extended Text Formatter 1.2
    Html Formatter 2.4
    Inline Images 1.3
    Latest Posts Integration 1.1
    MembersList 1.2
    New Applicants 1.3
    Notifi 1.8.2
    Nuggets 1.1.6
    Participated Threads 1.3
  • Well you can try disabling them all except for Notifi for a sec and seeing if that fixes it.
  • Disabled ALL extensions except Notifi, but no luck -- when a user is not logged in on and clicks on the link provided in the generated email, it still takes them to a page which says "Some problems were encountered. The requested discussion could not be found." Same results as before (with all of my extensions enabled). At first I suspected DefaultPage extension could be the cause, but that didn't seem to hold true.

    Anybody else getting the "some problems were encountered ..." message?
  • You could make a new thread about this in the general support section because it has nothing to do with Notifi; the link that Notifi generates is just a normal Vanilla link, nothing special about it.
    Other people may be more likely to help you if you make a new thread, because they might not check this one.
    I suspect it is some setting you have selected in the Application Settings that is making it behave like this, I will be interested to know which setting it is. Again, if you wanted to you could tick and untick settings in there to test that theory.
  • I seem to remember getting the same error message. I wonder if it's a Category Roles issue?
  • Subjunk, you d'man, sure enough it was due to "Allow non-members to browse the forum" selection being on (under Application Settings). And in my case the problem was also compounded by the DefaultPage 1.2.5 extension being active (DefaultPage sets my categories as the index page).

    If you turn off "Allow non-members to browse the forum" AND do not have DefaultPage extension active, all is fine; however, if you have either (or both), you will get either an error message (with both active) or you will simply get the category view but no direct link to the discussion.

    I wish it could play with both of these conditions (I don't like having just a plain old login screen everytime an unauthenticated user visits the forum, and I want users to see the category view first), but I guess you can't have everything. At any rate, Subjunk, thanks for clearing this up and for the quick response. And of course for the terrific extension you've developed. It's way better than the old Notify.
  • I'm glad we managed to work out what was causing the problem, sorry it can't be exactly how you want. I would like to help you make it perfect but I don't have much time at the moment. You're welcome for the extension, thanks for appreciating it :)
  • Would be fantastic if someday you could figure out a way to allow for those conditions (as I'm sure I'm not the only one allowing non-members to browse the forum) but I do respect your time -- I'm sure it takes a lot of work to develop one of these extensions, test, debug, etc. Consider it a backburner request :-)

    Looking forward to future versions of Notifi, keep up the good work ...
  • I could make a custom page that detects the "remember me" cookies and redirects appropriately. Shouldn't be too hard actually, I can see it, might be able to do it sooner than I thought
  • SubJunk, that would be awesome if it could do that! I would very much look forward to that type of addition.
  • Just got a note from a user stating: "the anchor fragment ("...#item_9" at the end of the URL) is, as of recently, always wrong. It points to a comment earlier in the page than the one which is the subject of the message. So each time I click on the link, I am forced to scroll down to find the actual message. Frustrating!"

    He's referring to the links sent out with the notification emails, and I can confirm that he's correct. Has anyone else noticed this?

    As well, any news on that 2.0 release, SubJunk?
  • Where can I see a list of Notifi features.

    I am looking for a add-on that includes the entire posting in the notification messages and also sends messages for each post, even if the user has not logged into the the message board after the last posting.

    I would like to make it possible to follow discussions from one's e-mail.

    Is this what Notifi does?

    Anyone have any cautions or suggestions for installing and using it?

    Thank you,

  • Thanks for reporting that, jmcnally, I will have a look. As for version 2.0 I am using it live on some of my forums right now and it is looking good but there are a few more features I want to add. I will probably release it next week sometime.

    Kiril, I replied to your comment on another discussion.
Sign In or Register to comment.