Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
View rights inconsistently enforced between Profile discussions & comments!
jrapage
New
If you have Categories that have different View permissions (i.e. non-signed in users may not view), the visibility is not enforced correctly between the following pages:
YOURSITE/index.php?p=/profile/discussions/ID/USER
yes - hides discussions started by the user in categories that are not permitted to view
YOURSITE/index.php?p=/profile/comments/ID/USER
NO! - shows all latest comments by the user regardless of category permissions
This is a *major* privacy/security hole that puts any board at risk that has category view rights assigned to select groups.
Is anyone familiar with the code behind the Discussions and Comments tabs on a user's profile page? The former checks for rights whereas the latter doesn't.
Thanks
YOURSITE/index.php?p=/profile/discussions/ID/USER
yes - hides discussions started by the user in categories that are not permitted to view
YOURSITE/index.php?p=/profile/comments/ID/USER
NO! - shows all latest comments by the user regardless of category permissions
This is a *major* privacy/security hole that puts any board at risk that has category view rights assigned to select groups.
Is anyone familiar with the code behind the Discussions and Comments tabs on a user's profile page? The former checks for rights whereas the latter doesn't.
Thanks
Tagged:
0
Comments
It will be in the next release, and I'll bring it to the attention of the staff in case they want to do an immediate patch release.
Thanks!
Verified this is fixed in 2.1