We sorted it out. It wasn't a security hole as far as I can tell, but it just let non-users on a public forum see the Notification interface for accounts that don't exist, but interaction with the database does not occur. Anyway I've fixed it for the 2.0 release but there is still no rush with that because the current release 1.8.2 is still stable. Thanks dookie for mentioning it, it is great to know that there are people who will tell me if they find bugs, and spode thanks for pointing it out about the PM, that is the right way to report security bugs.
Subjunk, question ... is there a way for the link to the discussion in the email to authenticate the user before it attempts to visit the subscribed thread? If the user is already logged in this works fine of course, but if user is not logged in (which is often the case I'm finding out) the page they go to when clicking the email link says "discussion not found," with no further details. To most users this looks like a fatal error message.
Would be great if that issue were addressed, making an already fantastic extension that much better. Thanks for all your hard work.
Weird. When a user is not logged in on mine, it takes them to a page which says "Some problems were encountered. The requested discussion could not be found." Any clues as to what might be happening?
Are you using Notifi 1.8.2 and Vanilla 1.1.5a? Well there is a way you could modify Notifi in order to make it work in that case but it won't work for users who are logged in. It's not an elegant solution but if you have more users who don't stay logged in than those who do it may be a better option until I or someone else can figure out why this is happening for you.
Open extensions/Notifi/default.php and change lines 352 to 373 to this: <a href="'.$DiscussionForm->Context->Configuration['BASE_URL'].'people.php?PageAction=SignOutNow&ReturnUrl='.$DiscussionForm->Context->Configuration['BASE_URL'].'comments.php?DiscussionID='.$DiscussionID.'&page='.$pageNumber.'#Item_'.$commentNo.'">Click here to view the comment on the forum</a> or copy and paste the following link into your web browser:<br />
'.$DiscussionForm->Context->Configuration['BASE_URL'].'people.php?PageAction=SignOutNow&ReturnUrl='.$DiscussionForm->Context->Configuration['BASE_URL'].'comments.php?DiscussionID='.$DiscussionID.'&page='.$pageNumber.'#Item_'.$commentNo.'<br /><br />
Kind regards,<br />
'.$DiscussionForm->Context->Configuration['SUPPORT_NAME'].'
</body>
</html>';
}
// If this is a new discussion
else {
$message = '
<html>
<body style="background-color:#fff;">
Hello '.$mName.',<br /><br />
A new discussion called <strong>'.$discussionName.'</strong> was started, the comment is as follows.
<div style="margin: 20px 0; padding: 10px; background-color: #fef9e9; border: 1px #ffedae solid;">
<p style="padding: 5px; margin: 0 0 5px 0; background-color: #fff; border: 1px #ccc solid;">
Post by: <strong>'.$mPosterName.'</strong>
</p>
'.$mComment.'<br />
</div>
<a href="'.$DiscussionForm->Context->Configuration['BASE_URL'].'people.php?PageAction=SignOutNow&ReturnUrl='.$DiscussionForm->Context->Configuration['BASE_URL'].'comments.php?DiscussionID='.$DiscussionID.'&page='.$pageNumber.'#Item_'.$commentNo.'">Click here to view the new discussion on the forum</a> or copy and paste the following link into your web browser:<br />
'.$DiscussionForm->Context->Configuration['BASE_URL'].'people.php?PageAction=SignOutNow&ReturnUrl='.$DiscussionForm->Context->Configuration['BASE_URL'].'comments.php?DiscussionID='.$DiscussionID.'&page='.$pageNumber.'#Item_'.$commentNo.'<br /><br />
Yes, I'm using Vanilla 1.1.5a and Notifi 1.8.2. Hmm, I'm not sure that solution would work either, then I may have the opposite problem at some point. I may give it a whirl anyway ... but I'd rather try and figure out if there is some reason my setup is throwing error messages up when unauthenticated users click on the email links.
Anybody else having this problem? A possible extension conflict perhaps?
Anyway, Subjunk thanks for your help and looking into this -- appreciated!
ps :: if this helps, these are the extensions I'm currently running:
AddMember 1.0
Applicant Email Verification 0.4.2.b
Attachments 2.1
Category Jumper 1.0
DefaultPage 1.1.0
Extended Application Form 1.0
Extended Text Formatter 1.2
Html Formatter 2.4
Inline Images 1.3
Latest Posts Integration 1.1
MembersList 1.2
New Applicants 1.3
Notifi 1.8.2
Nuggets 1.1.6
Participated Threads 1.3
Disabled ALL extensions except Notifi, but no luck -- when a user is not logged in on and clicks on the link provided in the generated email, it still takes them to a page which says "Some problems were encountered. The requested discussion could not be found." Same results as before (with all of my extensions enabled). At first I suspected DefaultPage extension could be the cause, but that didn't seem to hold true.
Anybody else getting the "some problems were encountered ..." message?
You could make a new thread about this in the general support section because it has nothing to do with Notifi; the link that Notifi generates is just a normal Vanilla link, nothing special about it. Other people may be more likely to help you if you make a new thread, because they might not check this one. I suspect it is some setting you have selected in the Application Settings that is making it behave like this, I will be interested to know which setting it is. Again, if you wanted to you could tick and untick settings in there to test that theory.
Subjunk, you d'man, sure enough it was due to "Allow non-members to browse the forum" selection being on (under Application Settings). And in my case the problem was also compounded by the DefaultPage 1.2.5 extension being active (DefaultPage sets my categories as the index page).
If you turn off "Allow non-members to browse the forum" AND do not have DefaultPage extension active, all is fine; however, if you have either (or both), you will get either an error message (with both active) or you will simply get the category view but no direct link to the discussion.
I wish it could play with both of these conditions (I don't like having just a plain old login screen everytime an unauthenticated user visits the forum, and I want users to see the category view first), but I guess you can't have everything. At any rate, Subjunk, thanks for clearing this up and for the quick response. And of course for the terrific extension you've developed. It's way better than the old Notify.
I'm glad we managed to work out what was causing the problem, sorry it can't be exactly how you want. I would like to help you make it perfect but I don't have much time at the moment. You're welcome for the extension, thanks for appreciating it
Would be fantastic if someday you could figure out a way to allow for those conditions (as I'm sure I'm not the only one allowing non-members to browse the forum) but I do respect your time -- I'm sure it takes a lot of work to develop one of these extensions, test, debug, etc. Consider it a backburner request :-)
Looking forward to future versions of Notifi, keep up the good work ...
I could make a custom page that detects the "remember me" cookies and redirects appropriately. Shouldn't be too hard actually, I can see it, might be able to do it sooner than I thought
Just got a note from a user stating: "the anchor fragment ("...#item_9" at the end of the URL) is, as of recently, always wrong. It points to a comment earlier in the page than the one which is the subject of the message. So each time I click on the link, I am forced to scroll down to find the actual message. Frustrating!"
He's referring to the links sent out with the notification emails, and I can confirm that he's correct. Has anyone else noticed this?
As well, any news on that 2.0 release, SubJunk?
Where can I see a list of Notifi features.
I am looking for a add-on that includes the entire posting in the notification messages and also sends messages for each post, even if the user has not logged into the the message board after the last posting.
I would like to make it possible to follow discussions from one's e-mail.
Is this what Notifi does?
Anyone have any cautions or suggestions for installing and using it?
Thank you,
Kiril
Thanks for reporting that, jmcnally, I will have a look. As for version 2.0 I am using it live on some of my forums right now and it is looking good but there are a few more features I want to add. I will probably release it next week sometime.
Kiril, I replied to your comment on another discussion.
Comments
P.S. How do I send a private message?
Thanks dookie for mentioning it, it is great to know that there are people who will tell me if they find bugs, and spode thanks for pointing it out about the PM, that is the right way to report security bugs.
Would be great if that issue were addressed, making an already fantastic extension that much better. Thanks for all your hard work.
Well there is a way you could modify Notifi in order to make it work in that case but it won't work for users who are logged in. It's not an elegant solution but if you have more users who don't stay logged in than those who do it may be a better option until I or someone else can figure out why this is happening for you.
Open extensions/Notifi/default.php and change lines 352 to 373 to this:
<a href="'.$DiscussionForm->Context->Configuration['BASE_URL'].'people.php?PageAction=SignOutNow&ReturnUrl='.$DiscussionForm->Context->Configuration['BASE_URL'].'comments.php?DiscussionID='.$DiscussionID.'&page='.$pageNumber.'#Item_'.$commentNo.'">Click here to view the comment on the forum</a> or copy and paste the following link into your web browser:<br /> '.$DiscussionForm->Context->Configuration['BASE_URL'].'people.php?PageAction=SignOutNow&ReturnUrl='.$DiscussionForm->Context->Configuration['BASE_URL'].'comments.php?DiscussionID='.$DiscussionID.'&page='.$pageNumber.'#Item_'.$commentNo.'<br /><br /> Kind regards,<br /> '.$DiscussionForm->Context->Configuration['SUPPORT_NAME'].' </body> </html>'; } // If this is a new discussion else { $message = ' <html> <body style="background-color:#fff;"> Hello '.$mName.',<br /><br /> A new discussion called <strong>'.$discussionName.'</strong> was started, the comment is as follows. <div style="margin: 20px 0; padding: 10px; background-color: #fef9e9; border: 1px #ffedae solid;"> <p style="padding: 5px; margin: 0 0 5px 0; background-color: #fff; border: 1px #ccc solid;"> Post by: <strong>'.$mPosterName.'</strong> </p> '.$mComment.'<br /> </div> <a href="'.$DiscussionForm->Context->Configuration['BASE_URL'].'people.php?PageAction=SignOutNow&ReturnUrl='.$DiscussionForm->Context->Configuration['BASE_URL'].'comments.php?DiscussionID='.$DiscussionID.'&page='.$pageNumber.'#Item_'.$commentNo.'">Click here to view the new discussion on the forum</a> or copy and paste the following link into your web browser:<br /> '.$DiscussionForm->Context->Configuration['BASE_URL'].'people.php?PageAction=SignOutNow&ReturnUrl='.$DiscussionForm->Context->Configuration['BASE_URL'].'comments.php?DiscussionID='.$DiscussionID.'&page='.$pageNumber.'#Item_'.$commentNo.'<br /><br />
Other people may be more likely to help you if you make a new thread, because they might not check this one.
I suspect it is some setting you have selected in the Application Settings that is making it behave like this, I will be interested to know which setting it is. Again, if you wanted to you could tick and untick settings in there to test that theory.
Kiril, I replied to your comment on another discussion.