Blog Documentation Book a Demo
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Users can see "most recent" activity from categories they don't have access to

Wilson29thIDWilson29thID New
in Vanilla 3.x Help

After upgrading Vanilla to v3.3 (from 2.3), users can see "Most recent" activity from categories they don't have access to: specifically the post title/author/timestamp. This appears in the parent category's "Most recent" post area.

I posted a bug report but haven't heard back yet so thought I'd mention it here in case any other users have run into the issue.

Steps to reproduce the behavior:

  1. Create a sub-category with custom permissions so only members of a certain role can see it.
  2. While logged in as a member who is not of that role, look at the /categories page, at the parent category's "most recent" post area.

Screen recording from fresh install

Tagged:

Comments

  • charrondevcharrondev Vanilla Staff
    edited February 2020

    It seems valid, I'll take a look into how it's getting triaged for you. I will note that generally with security issues the place they get the most attention is on our hackerone bounty program. We have certain timelines for fast we triage things there, and if the issues is of certain severity we pay out bounties.

    https://hackerone.com/vanilla

    I'm not sure if you are eligible for a bounty when they are publicly disclosed though.


    In any case I'll try and get a response this week.

  • Wilson29thIDWilson29thID New

    Oh wow, I didn't have this as a "security issue" in my mind! Frankly I assumed I was configuring something wrong. Would it be helpful for me to post it on the bug bounty as well?

  • Wilson29thIDWilson29thID New

    Hi, has there been any update on this security issue?

  • Wilson29thIDWilson29thID New

    Hey, it’s been a year since I reported this security issue. Has there been any investigation?

  • daocaoitdaocaoit New

    maybe you can fix it like this , but if the last discussion is in private category , the most recent will be hidden.

    private function gatherLastIDs($categoryTree, &$result = null) {
        if ($result === null) {
            $result = [];
        }
        
        foreach ($categoryTree as $category) {
            if($category['LastCategoryID'] == $category['CategoryID'])
            {
                $result["{$category['LastDiscussionID']}/{$category['LastCommentID']}"] = [
                    'DiscussionID' => $category['LastDiscussionID'],
                    'CommentID' => $category['LastCommentID']
                ];
            }
            

            if (!empty($category['Children'])) {
                $this->gatherLastIDs($category['Children'], $result);
            }
        }
    }

    or you can get session user info

    Gdn::session()->User

    you can check the discussion view permission of special category

Sign In or Register to comment.