2006-10-09, 02:46 AM
One of my users posted a "how to make an H-Bomb" instructional post. I soft-deleted it to my Trash Can forum (not the plugin, just a setup using custom mod tools) while I went off to find out if posting such a thing is actually legal. I come back a little while later to find that the user had been able to click "view today's posts" and get to the post in the Trash Can. Not only that, but he was able to EDIT his post! The permissions for the Trash Can are that normal users cannot view, read, post, or edit anything in that forum! So, a few bugs.
1. "view today's posts" shouldn't be showing posts in a hidden forum. Apparently it does if the post was started in a public forum and then moved into a hidden forum.
2. When the user clicked the link to his post in the hidden forum, he should've gotten an "access denied" page, not the post!
3. When the user clicked "edit" he should've gotten an "access denied" page, not the edit form!
All this appears to be due to the fact that a posts permissions aren't changed when the post gets moved into a forum with different permissions. I'd say that's a pretty major flaw in the system.
1. "view today's posts" shouldn't be showing posts in a hidden forum. Apparently it does if the post was started in a public forum and then moved into a hidden forum.
2. When the user clicked the link to his post in the hidden forum, he should've gotten an "access denied" page, not the post!
3. When the user clicked "edit" he should've gotten an "access denied" page, not the edit form!
All this appears to be due to the fact that a posts permissions aren't changed when the post gets moved into a forum with different permissions. I'd say that's a pretty major flaw in the system.