Blog Documentation Try Vanilla Cloud
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Applicants can flag posts v 2.1.10

almostbasicalmostbasic New
in Vanilla 2.0 - 2.8

Today, my forum was attacked by an unverified applicant using the "Flagging" feature. It was clearly some sort of script, as he flagged around 40,000 posts, which crippled our mail server from all of the notifications being sent.

There is nothing checked for the flagging plugin in the roles / permissions screen for applicants. However, he clearly used it. I set up a test account in the applicant usergroup, and sure enough - the "Flag" links show up and work.

How can I actually block applicants from using the "Flagging" feature?

Comments

  • Options
    hgtonighthgtonight ∞ · New Moderator

    This sounds like a role permission issue.

    The flagging plugin (v1.1.1) has a permission check for 'Garden.Moderation.Manage' for all flagging purposes.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Options
    almostbasicalmostbasic New

    Agreed, but I don't understand why. Here is my permissions settings for "Applicant"

    According to those rules, Applicant should not be able to flag, right?

  • Options
    x00x00 MVP

    make sure you update your fourm to 2.1.11

    grep is your friend.

  • Options
    almostbasicalmostbasic New

    Planning to, is this something that was dealt with in 2.1.11, or is that just a general recommendation?

  • Options
    hgtonighthgtonight ∞ · New Moderator

    @almostbasic That is excellent advice.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Options
    peregrineperegrine MVP
    edited July 2015

    @almostbasic said:

    According to those rules, Applicant should not be able to flag, right?

    actually the attack you mention was overlooked. they can flag but should be prevented.

    good catch...

    It doesn't matter if you have version 2.1.11 with respect to the "FLAW" you have reported.

    I figure if an applicant can cripple your server like this , it is a security bug, Others can call it what they want.

    Applicants do indeed have a flagging option with vanilla 2.1.11.

    you might consider turning off viewing of comments and discussions for applicants, might alleviate the issue until a role option for ability to flag is added and permission of role checked.

    see below on how to change....

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Options
    peregrineperegrine MVP
    edited July 2015

    @almostbasic said:

    How can I actually block applicants from using the "Flagging" feature?

    to add a role specific option to allow flagging by role and prevent above mishap of server crash due to applicant abusing flagging option.

    you could modify the flagging plugin.

    • 1 disable the plugin.

    in the flagging plugin folder

    • 2 change class.flagging.plugin.php in the flagging plugin folder

    around line 22...

    'RegisterPermissions' => array('Plugins.Flagging.Notify'),

    to

    'RegisterPermissions' => array('Plugins.Flagging.Notify','Plugins.Flagging.Allow'),

    around line 190 or so

    also change from

    protected function AddFlagButton($Sender, $Args, $Context = 'comment') {

    to

      protected function AddFlagButton($Sender, $Args, $Context = 'comment') {
   // add line below to check for allow flagging permission
   if (!(Gdn::Session()->CheckPermission('Plugins.Flagging.Allow')))  return;

    also change around line 224 or so

    from

    public function DiscussionController_Flag_Create($Sender) {

    to

                     public function DiscussionController_Flag_Create($Sender) {
                      // add line below to check for allow flagging permission
                      if (!(Gdn::Session()->CheckPermission('Plugins.Flagging.Allow')))  return;
    • 3 reenable the plugin.

    (disabling and re-enabling plugin after changes will give you a new permissions checkbox. in the roles and permissions of dashboard.

    • 4 give any role that you want to have the ability to flag the allow check under the flagging plugin

    make sure the box allow for flagging is unchecked for applicants and other non-trusted roles.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Options
    peregrineperegrine MVP

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Options
    almostbasicalmostbasic New

    Thanks a ton peregrine - that seems to work. I really appreciate you taking the time to come up with a solution. =)

  • Options
    peregrineperegrine MVP
    edited July 2015

    @almostbasic said:
    Thanks a ton peregrine - that seems to work. I really appreciate you taking the time to come up with a solution. =)

    pleasure...

    well, I thought you brought up a good point that was overlooked and could be taken advantage of with respect to flagging plugin

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

Sign In or Register to comment.