SimplePortal
Development => Bugs => Fixed or Bogus Bugs => Topic started by: andershz on February 08, 2012, 07:14:34 AM
-
When I mark a topic as an article it is visible on the front page even if it is in a board the currently logged in user (or guest) have no permissions in.
Is this intentional?
SP 2.3.4
-
Hmm. I would have thought the permission would be checked per-user, as with any other topic.
I will move this to bug reports, and report it as a bug.
I have not checked this behavior myself. I've only ever created articles I wanted the whole world to see!
-
Just checked this on my test site and I couldn't reproduce. Any chance that there is a problem with your permission setup? I could check it up for you if you could send me temporary admin login details via pm.
-
After further investigation it appears this is caused by a SMF mod I have installed, "View Only Boards".
Without this mod it will probably work ok.
-
Cool. I'll be closing the report then.
-
A bit of necro-posting, but not until now did I find the time to look in to this issue properly.
Maybe I'm the only one using both SimplePortal and the View-Only Boards mod, but in case there's someone else here's some info that might be useful.
The way the View-Only Boards mod is implemented is questionable from a security point of view.
It works by adding all the boards where the user has view-only access to the predefined database query "query_see_boards" which originally just holds the boards where the user has at least read access.
Then at (hopefully) all relevant places an extra check is added to see if the user has view-only access to the board and if so preventing the user from seeing posts etc.
This method of first giving the users more access than they should have and then removing some of it is not so good in principle.
If this extra check is forgotten in any place the user can see posts which should not be seen.
It also means that if any other mod is added where "query_see_boards" is used that mod will give the users access to posts they shouldn't see because in that mod there will be no checks for view-only boards.
In practice I noticed this with the articles system in SimplePortal, which displays complete articles from boards the logged in user (or guest) do not have access to when this mod is installed.
I imagine similar problems could occur with for instance other portals or Tapatalk.
This should really be fixed in the View-Only Boards mod, but as a temporary workaround I have modified PortalArticles.php to not use {query_see_board}, instead I make a copy of $user_info['query_see_board'], remove all "_view" from it and use that as the query.
-
Thanks for those comments, which might be useful to other users of the View-Only Boards mod.
I hope you have notified the mod's author of the compatability difficulties in the current implementation, so he can consider them in some future version of the View-Only Boards mod.
Given all that, your workaround seems practical. I am not certain about the server load implications. It would take someone with more experience than I have to figure that out.
Thank you!