Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Discussions Visible to a User that has no Rights
Version information:
Clean Version install of Vanilla 2 Version 2.0.19 via simple scripts on bluehost.
I did not see Vanilla 2.0.18 (beta 2) as an option. All I had was the following options:
2.0.16, 2.0.17.3, 2.0.17.4, 2.0.17.6, 2.0.17.8, 2.0.17.10 and 2.0.19 (so I went with 2.0.19) (by the way they all were marked as (STABLE).
I was not sure if this issue was due to a plugin so I did a fresh test install to see if i could produce the same results.
I set up a Role and Permissions profile called "Gavin" that had no permissions what except for signing in and view profile
(at a minimum we need the user to be able to sign in and we need the user to be able to decide what type of notifications he will receive and be able to setup his profile) (I do not want him to have permissions to view, edit, or post to any discussions).
After setting up a test user "Gavin" who is assigned the roles and permissions called "Gavin", and still logged in as the admin, I went to the discussions page and started a few new topic and posted to each a few times.
Then I logged out as Admin and Logged in as Gavin. As expected Gavin could not see any topics/discussions nor could he start any topics or discussions. So you would think all is O.K. but it is not. Gavin can click on his Profile (his name at the top of the page which the url would look something like this. http://www.domain-name.us/Install-Folder/profile/Gavin
If Gavin has any items under activity that have another users name then Gavin can go to that users profile page, and now has access to their wall and access to their activity, discussions, and comments.
So here is a sample activity on Gavin's wall
Gavin → admin Can I add something here
If Gavin clicks on admin (which has a hyper link) http://www.domain-name.us/Install-Folder/profile/1/admin he will be directed to the admins wall and to his activity, discussions, and comments and if he clicks on comments, he will see all of the admins most recent discussions the admin created or new post that he made. You would think this is not so bad, but remember Gavin does not have permission to add, edit, view, or post to any discussion. (under this test..... he is not supposed to see anything regarding posts)
I hope the above is helpful in figuring out what the problem is.
I think there should be a way to allow Gavin to see his own wall and also have it so that he can not see other walls and not see discussions. I don't think that i will ever have a user that will have access to no discussions, but setting up as I did above shows that Gavin did have access to stuff he shouldn't.
Here is a youtube showing a step by step of how I had it set up:
http://www.youtube.com/watch?v=vkXt0ulUT8o
Ok I know the above is not in a Question format, so I guess the question is, what am I doing wrong, or is there a fix for this that i am not aware of?
Albin
Clean Version install of Vanilla 2 Version 2.0.19 via simple scripts on bluehost.
I did not see Vanilla 2.0.18 (beta 2) as an option. All I had was the following options:
2.0.16, 2.0.17.3, 2.0.17.4, 2.0.17.6, 2.0.17.8, 2.0.17.10 and 2.0.19 (so I went with 2.0.19) (by the way they all were marked as (STABLE).
I was not sure if this issue was due to a plugin so I did a fresh test install to see if i could produce the same results.
I set up a Role and Permissions profile called "Gavin" that had no permissions what except for signing in and view profile
(at a minimum we need the user to be able to sign in and we need the user to be able to decide what type of notifications he will receive and be able to setup his profile) (I do not want him to have permissions to view, edit, or post to any discussions).
After setting up a test user "Gavin" who is assigned the roles and permissions called "Gavin", and still logged in as the admin, I went to the discussions page and started a few new topic and posted to each a few times.
Then I logged out as Admin and Logged in as Gavin. As expected Gavin could not see any topics/discussions nor could he start any topics or discussions. So you would think all is O.K. but it is not. Gavin can click on his Profile (his name at the top of the page which the url would look something like this. http://www.domain-name.us/Install-Folder/profile/Gavin
If Gavin has any items under activity that have another users name then Gavin can go to that users profile page, and now has access to their wall and access to their activity, discussions, and comments.
So here is a sample activity on Gavin's wall
Gavin → admin Can I add something here
If Gavin clicks on admin (which has a hyper link) http://www.domain-name.us/Install-Folder/profile/1/admin he will be directed to the admins wall and to his activity, discussions, and comments and if he clicks on comments, he will see all of the admins most recent discussions the admin created or new post that he made. You would think this is not so bad, but remember Gavin does not have permission to add, edit, view, or post to any discussion. (under this test..... he is not supposed to see anything regarding posts)
I hope the above is helpful in figuring out what the problem is.
I think there should be a way to allow Gavin to see his own wall and also have it so that he can not see other walls and not see discussions. I don't think that i will ever have a user that will have access to no discussions, but setting up as I did above shows that Gavin did have access to stuff he shouldn't.
Here is a youtube showing a step by step of how I had it set up:
http://www.youtube.com/watch?v=vkXt0ulUT8o Ok I know the above is not in a Question format, so I guess the question is, what am I doing wrong, or is there a fix for this that i am not aware of?
Albin
Tagged:
0
Best Answer
-
luc
✭✭
It's fixed on the 2.0.18b2.
Somehow it missed 2.0.17.10.
There's no 2.0.19.
Here's the fix you could apply manually:
https://github.com/vanillaforums/Garden/commit/bfe5fbae87ef7b0521297b9afacf115648bdf6880
Answers
Somehow it missed 2.0.17.10.
There's no 2.0.19.
Here's the fix you could apply manually:
https://github.com/vanillaforums/Garden/commit/bfe5fbae87ef7b0521297b9afacf115648bdf688
Here is a screen shot of the available versions to install via Simple Scripts on bluehost.
http://dl.dropbox.com/u/35832378/share_$N 20072011_081433.jpg
I went to the index.php file and now see that the file says I have installed 2.0.17.9
http://dl.dropbox.com/u/35832378/share_$N 20072011_090447.jpg
I am guessing there was a typo here, instead of entering 2.0.17.9 they entered 2.0.19
I will report this to BlueHost
I will also download 2.0.18b2. Thanks for helping me out with this.