Applicants can flag posts v 2.1.10

almostbasic

Today, my forum was attacked by an unverified applicant using the "Flagging" feature. It was clearly some sort of script, as he flagged around 40,000 posts, which crippled our mail server from all of the notifications being sent.

There is nothing checked for the flagging plugin in the roles / permissions screen for applicants. However, he clearly used it. I set up a test account in the applicant usergroup, and sure enough - the "Flag" links show up and work.

How can I actually block applicants from using the "Flagging" feature?

hgtonight

This sounds like a role permission issue.

The flagging plugin (v1.1.1) has a permission check for 'Garden.Moderation.Manage' for all flagging purposes.

almostbasic

Agreed, but I don't understand why. Here is my permissions settings for "Applicant"

According to those rules, Applicant should not be able to flag, right?

x00

make sure you update your fourm to 2.1.11

almostbasic

Planning to, is this something that was dealt with in 2.1.11, or is that just a general recommendation?

hgtonight

@almostbasic That is excellent advice.

peregrine

@almostbasic said:

According to those rules, Applicant should not be able to flag, right?

actually the attack you mention was overlooked. they can flag but should be prevented.

good catch...

It doesn't matter if you have version 2.1.11 with respect to the "FLAW" you have reported.

I figure if an applicant can cripple your server like this , it is a security bug, Others can call it what they want.

Applicants do indeed have a flagging option with vanilla 2.1.11.

you might consider turning off viewing of comments and discussions for applicants, might alleviate the issue until a role option for ability to flag is added and permission of role checked.

see below on how to change....

peregrine

@almostbasic said:

How can I actually block applicants from using the "Flagging" feature?

to add a role specific option to allow flagging by role and prevent above mishap of server crash due to applicant abusing flagging option.

you could modify the flagging plugin.

• 1 disable the plugin.

in the flagging plugin folder

---

• 2 change class.flagging.plugin.php in the flagging plugin folder

around line 22...

'RegisterPermissions' => array('Plugins.Flagging.Notify'),

to

'RegisterPermissions' => array('Plugins.Flagging.Notify','Plugins.Flagging.Allow'),

around line 190 or so

also change from

protected function AddFlagButton($Sender, $Args, $Context = 'comment') {

to

  protected function AddFlagButton($Sender, $Args, $Context = 'comment') {
   // add line below to check for allow flagging permission
   if (!(Gdn::Session()->CheckPermission('Plugins.Flagging.Allow')))  return;  

also change around line 224 or so

from

public function DiscussionController_Flag_Create($Sender) {

to

                 public function DiscussionController_Flag_Create($Sender) {
                      // add line below to check for allow flagging permission
                      if (!(Gdn::Session()->CheckPermission('Plugins.Flagging.Allow')))  return;

---

• 3 reenable the plugin.

(disabling and re-enabling plugin after changes will give you a new permissions checkbox. in the roles and permissions of dashboard.

---

• 4 give any role that you want to have the ability to flag the allow check under the flagging plugin

make sure the box allow for flagging is unchecked for applicants and other non-trusted roles.

peregrine

almostbasic

Thanks a ton peregrine - that seems to work. I really appreciate you taking the time to come up with a solution.

peregrine

@almostbasic said:
Thanks a ton peregrine - that seems to work. I really appreciate you taking the time to come up with a solution.

pleasure...

well, I thought you brought up a good point that was overlooked and could be taken advantage of with respect to flagging plugin