Blog Documentation Book a Demo
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

How secure are Private Discussions/Boards

johnnyzenjohnnyzen New
in Vanilla 2.0 - 2.8

Hi there

I need some reassurance that private discussion categories are secure from being viewed from users without the right permissions...

Has there been any issues to do with this? Has anyone found a way to view private discussions without the right permissions.

How solid is the roles and permissions programming ?

Can anyone give me some reassurance on this ??

Would be grateful...

Comments

  • hgtonighthgtonight MVP

    If all you are worried about are people being able to view others' private messages, I can assuage your fears. I have not found or heard of any way to access private message data without the proper permissions. Take that for what you will.

    On the other hand, anyone crafty enough to get db access will be able to easily view the contents of private messages as they are stored in plain text.

    Does this worry me? No. Should it worry you? Only you can answer that.

    Does this answer your question?

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • johnnyzenjohnnyzen New

    Hi hgtonight :)

    Thanks for the reply...

    I came across this post, which was a little worrying, and no-one had responded too.

    http://vanillaforums.org/discussion/15891/access-to-private-discussions

    I am asking as developing for a client, whose previous forum had private boards (for mods) revealed by an unknown bug ?

    This has caused him to think that to be safe is to host another forum away from the users on the main forum. This seems a little overkill, and maybe less-friendly/poorer user experience for the mods that will need access to the private boards.

    I would like to convince him that vanilla's chances of revealing the private boards for mods, as super slim... but not sure on how to explain this.

    Best

    Johnny

  • hgtonighthgtonight MVP

    That discussion you linked is pointing out a potential bug in a the api (json) addon. I don't suggest using it (mostly because @kasperisager has a better addon).

    I would be wary of any addon that plugs into the conversation application. When in doubt, go with out. :D

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

Sign In or Register to comment.