Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
[Solved!] "Unathenticated" can view all hidden categories!
Andy K
✭
Hi all, brief support Q, but probably high level:
I recently dived into my DB, deleting old user roles that were hanging around (leaving all active roles), and disabling and re-enabling all of my extensions (trying to track down a perf issue, which I caught and resolved).
Now, I've got everything rebuilt. however, I can not for the life of me fix one issue. I can no longer control forum category access for "Unathenticated" users. The last time I really confirmed was about a week ago, and I'm looking at the DB side and everything "lines up", but when I go into Settings: Categories, and say remove all checkboxes for all users (thereby effectively making categories "disappear") all authenticated users (Member, Admins, etc) can no longer see these categories: But unathenticated users CAN!
It's like somehow the Unathenticated account is bypassing all security. I went into phpMyAdmin just to make sure everything seems to line up (Unathenticated account # is "8", made sure that "8" was blocked in LUM_CategoryRoleBlock, made sure that its blocked categories correspond to the ones I wanted blocked, etc). I compared the Db to other of my Vanilla installs, and can't see anything that jumps out at me as set incorrectly or the like.
I turned off *all* extensions just to make sure, and the same thing happens, so this isn't an extension issue.
Thoughts?
-Andy
Edit: Possibility that the "unathenticated user" is not actually using the "Unathenticated" role, but rather another role? Perhaps a default role number is missing? This was originally a 9.x install of Vanilla that was upgraded over the years, now at the latest version. The current user numbers are: "3 5 6 8 9 16". I removed the old unused (since 9.x days) "guest", etc. Maybe that was the issue?
I recently dived into my DB, deleting old user roles that were hanging around (leaving all active roles), and disabling and re-enabling all of my extensions (trying to track down a perf issue, which I caught and resolved).
Now, I've got everything rebuilt. however, I can not for the life of me fix one issue. I can no longer control forum category access for "Unathenticated" users. The last time I really confirmed was about a week ago, and I'm looking at the DB side and everything "lines up", but when I go into Settings: Categories, and say remove all checkboxes for all users (thereby effectively making categories "disappear") all authenticated users (Member, Admins, etc) can no longer see these categories: But unathenticated users CAN!
It's like somehow the Unathenticated account is bypassing all security. I went into phpMyAdmin just to make sure everything seems to line up (Unathenticated account # is "8", made sure that "8" was blocked in LUM_CategoryRoleBlock, made sure that its blocked categories correspond to the ones I wanted blocked, etc). I compared the Db to other of my Vanilla installs, and can't see anything that jumps out at me as set incorrectly or the like.
I turned off *all* extensions just to make sure, and the same thing happens, so this isn't an extension issue.
Thoughts?
-Andy
Edit: Possibility that the "unathenticated user" is not actually using the "Unathenticated" role, but rather another role? Perhaps a default role number is missing? This was originally a 9.x install of Vanilla that was upgraded over the years, now at the latest version. The current user numbers are: "3 5 6 8 9 16". I removed the old unused (since 9.x days) "guest", etc. Maybe that was the issue?
0
This discussion has been closed.
Comments
I went into my DB in phpmyAdmin: I changed the ID of Unauthenticated from "8" to "1". Then I went back into the app and changed the Category view settings. Poof, it worked.
So, for future reference: If Unauthenticated is NOT Role ID #1, Shit Breaks!
(I think until now it was using the odl 9.x convention of "Guest")
-Andy