Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Approval Method Not Working: Pending Users Can Still Post Discussions
We are experiencing an issue with with the "Approval" method. When a new user account is created that user can immediately post new discussions despite us using the "Approval" method and disabling the email confirmation setting.
Steps to reproduce:
- Go to Recovery.org/forums
- Click on "Join" and create an account. Your account theoretically should be pending.
- Go to the "Forums" link at the top of the page and create a new discussion (please use a "." in the subject and body line because this is a live forum and we don't want "test" emails showing up if possible.
You will be able to post a discussion despite your account being listed in the Applicant pending list.
The account is successfully wiped out once the admin/moderator selects "Decline" but the user can still post freely in the meantime. This completely negates the purpose of having an approval process. Please help!
The client is still using 2.1.1 and feels it's too risky to update. Is this a flaw in the system? Is there any way to resolve this without updating?
Thanks in advance!
0
Comments
Maybe edit the permissions for all your categories and remove the Add comment/discussion permissions for the applicant part. That's how I would do it. If you create a new category and use custom permissions, you can see the comments and discussions are also checked or allowed for Applicant member.
Wow, you totally nailed it @xifekobo, thank you for the fastest response ever! That was totally the issue. Somehow the applicant permissions got changed up to allow Applicants to post new posts/comments. I'm not quite sure how these got changed up (I know I had these settings dialed in before) but somewhere along the way they did. Unchecking these totally solved the issue. Thank you again!
while the fix may temporarily fix things -
perhaps the hacker who overcame all the security holes in vanilla 2.1.1 changed it.
pretty risky not to upgrade. and if your site is not already compromised, hackers do known ways to compromise vanilla 2.1.1
It is TOO RISKY not to update.
when you get hacked again or have something happen that you didn't do.
use this if you have a problem a certain step - don't skip it.
use php 5.4, 5.5, or 5.6 make sure rewrite pretty urls are enabled and working before upgrading.
https://vanillaforums.org/discussion/31153/tutorial-a-fool-proof-way-to-do-a-vanilla-upgrade-from-2-1-to-2-2
https://vanillaforums.org/discussion/28420/frequently-asked-question
also see https://vanillaforums.org/discussion/comment/243181/#Comment_243181
After you update your forum. look and verify that other users didn't magically become admins or certain roles got admin type permissions e.g user edit, etc.
yes , a flaw in vanilla 2.1.1 - lots of security holes.
https://vanillaforums.org/discussion/29835/vanilla-2-1-10-released-critical-security-update
https://vanillaforums.org/discussion/30123/vanilla-2-1-11-released-security-patch
https://vanillaforums.org/discussion/30966/vanilla-2-1-12-released-security-update
https://vanillaforums.org/discussion/31046/vanilla-2-1-13-security-updates
Is there any way to resolve this without updating?
nothing reliable, until a hacker changes permissions again.
gently put, Your client should fire you if you can't convince them to upgrade ASAP or you should fire your client if they are unwilling.
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.
No problem and glad you got this solved @Bridgetheory
I figured it out while doing some custom permissions bcause I needed it anyway. You should also do an update if you can just like @River suggested as the older versions does have security issues.
So apparently of you want to allow guest posting , use an older version of vanilla that has these kind of bugs...
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌