Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

View rights inconsistently enforced between Profile discussions & comments!

jrapagejrapage New
edited March 2011 in Vanilla 2.0 - 2.8
If you have Categories that have different View permissions (i.e. non-signed in users may not view), the visibility is not enforced correctly between the following pages:

YOURSITE/index.php?p=/profile/discussions/ID/USER
yes - hides discussions started by the user in categories that are not permitted to view

YOURSITE/index.php?p=/profile/comments/ID/USER
NO! - shows all latest comments by the user regardless of category permissions

This is a *major* privacy/security hole that puts any board at risk that has category view rights assigned to select groups.

Is anyone familiar with the code behind the Discussions and Comments tabs on a user's profile page? The former checks for rights whereas the latter doesn't.

Thanks

Comments

Sign In or Register to comment.