HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Users can see "most recent" activity from categories they don't have access to

After upgrading Vanilla to v3.3 (from 2.3), users can see "Most recent" activity from categories they don't have access to: specifically the post title/author/timestamp. This appears in the parent category's "Most recent" post area.

I posted a bug report but haven't heard back yet so thought I'd mention it here in case any other users have run into the issue.

Steps to reproduce the behavior:

  1. Create a sub-category with custom permissions so only members of a certain role can see it.
  2. While logged in as a member who is not of that role, look at the /categories page, at the parent category's "most recent" post area.

Screen recording from fresh install



  • charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff
    edited February 2020

    It seems valid, I'll take a look into how it's getting triaged for you. I will note that generally with security issues the place they get the most attention is on our hackerone bounty program. We have certain timelines for fast we triage things there, and if the issues is of certain severity we pay out bounties.

    I'm not sure if you are eligible for a bounty when they are publicly disclosed though.

    In any case I'll try and get a response this week.

  • Oh wow, I didn't have this as a "security issue" in my mind! Frankly I assumed I was configuring something wrong. Would it be helpful for me to post it on the bug bounty as well?

  • Hi, has there been any update on this security issue?

  • Hey, it’s been a year since I reported this security issue. Has there been any investigation?

  • maybe you can fix it like this , but if the last discussion is in private category , the most recent will be hidden.

    private function gatherLastIDs($categoryTree, &$result = null) {
            if ($result === null) {
                $result = [];
            foreach ($categoryTree as $category) {
                if($category['LastCategoryID'] == $category['CategoryID'])
                    $result["{$category['LastDiscussionID']}/{$category['LastCommentID']}"] = [
                        'DiscussionID' => $category['LastDiscussionID'],
                        'CommentID' => $category['LastCommentID']
                if (!empty($category['Children'])) {
                    $this->gatherLastIDs($category['Children'], $result);

    or you can get session user info


    you can check the discussion view permission of special category

Sign In or Register to comment.