Blog Documentation Book a Demo
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Serious feed/role security problem

ratbastidratbastid
edited February 2006 in Vanilla 1.0 Help
I run a vanilla forum with several custom roles and custom categories that are specific to that role. Uses 0.9.2.6. The site doesn't allow guest browsing. I have a user who reports that, using Sharpreader (which can log into the site with a username and password), he gets a feed that contains ALL new discussions, including those that his role should have no ability to see. This is an issue, obviously. In the short term, I guess I want to turn off feeds, but I don't see any administrative way to do that. Can I just delete or rename /forum/feeds/index.html ?

Comments

  • MinisweeperMinisweeper New
    I believe just disabling the feed extension will turn them off (i think it's an extension in 0.9.2?). As for the permissions itself, i'm gonna go out on a limb and guess it's solved in 0.9.3 but i'll leave it to mark to confirm that. Thanks for reporting it in any case.
  • ratbastidratbastid
    No problem. It looks like it's not an extension in 9.2.
  • MinisweeperMinisweeper New
    So it's not. Excuse me. In that case deleting the feeds dir should do it just fine :)
  • MarkMark Vanilla Staff
    In the new version feeds have been completely rewritten. Now they use the exact same query code as the pages themselves, so this issue will not occur.
  • ratbastidratbastid
    Actually, it gets weirder. Turns out, when that SAME user hits the feed with Firefox, he gets a feed that only contains discussions from appropriate categories. When he uses Sharpreader, he gets stuff he shouldn't be getting--he quoted me some discussion titles that are definitely from outside what his permissions should allow. I just double-checked that the feed isn't visible without password--Bloglines can't see a feed there at all, for instance.
  • BergamotBergamot
    That may be a cache issue
  • ratbastidratbastid
    Don't know what you mean by that, Bergamot. Far as I've been able to ascertain, it was like this from this user's first visit to the feed on the two different programs. Anyhow, I've killed feeds on my site until 9.3 comes out, and I'm happy to have submitted this bug report (though I have a creeping suspicion I put it in the wrong category...). Thanks for all your work on this EXCELLENT package.
This discussion has been closed.