Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Discussions Visible to a User that has no Rights

edited July 2011 in Vanilla 2.0 - 2.8
Version information:
Clean Version install of Vanilla 2 Version 2.0.19 via simple scripts on bluehost.
I did not see Vanilla 2.0.18 (beta 2) as an option. All I had was the following options:
2.0.16,,,,, and 2.0.19 (so I went with 2.0.19) (by the way they all were marked as (STABLE).

I was not sure if this issue was due to a plugin so I did a fresh test install to see if i could produce the same results.

I set up a Role and Permissions profile called "Gavin" that had no permissions what except for signing in and view profile
(at a minimum we need the user to be able to sign in and we need the user to be able to decide what type of notifications he will receive and be able to setup his profile) (I do not want him to have permissions to view, edit, or post to any discussions).

After setting up a test user "Gavin" who is assigned the roles and permissions called "Gavin", and still logged in as the admin, I went to the discussions page and started a few new topic and posted to each a few times.

Then I logged out as Admin and Logged in as Gavin. As expected Gavin could not see any topics/discussions nor could he start any topics or discussions. So you would think all is O.K. but it is not. Gavin can click on his Profile (his name at the top of the page which the url would look something like this.

If Gavin has any items under activity that have another users name then Gavin can go to that users profile page, and now has access to their wall and access to their activity, discussions, and comments.

So here is a sample activity on Gavin's wall
Gavin → admin Can I add something here

If Gavin clicks on admin (which has a hyper link) he will be directed to the admins wall and to his activity, discussions, and comments and if he clicks on comments, he will see all of the admins most recent discussions the admin created or new post that he made. You would think this is not so bad, but remember Gavin does not have permission to add, edit, view, or post to any discussion. (under this test..... he is not supposed to see anything regarding posts)

I hope the above is helpful in figuring out what the problem is.

I think there should be a way to allow Gavin to see his own wall and also have it so that he can not see other walls and not see discussions. I don't think that i will ever have a user that will have access to no discussions, but setting up as I did above shows that Gavin did have access to stuff he shouldn't.

Here is a youtube showing a step by step of how I had it set up:

Ok I know the above is not in a Question format, so I guess the question is, what am I doing wrong, or is there a fix for this that i am not aware of?


Best Answer


Sign In or Register to comment.