MyBB Community Forums

This isn't particularly critical but I figured it was still worth bringing up.

We have a Christmas theme that we enabled for the month of December as our default and then disabled it (by clearing the Allowed User Groups section and forcing anyone currently set to it manually back to the default) on January 1. A couple of days ago, I noticed one user inexplicably back on that theme and while he claims that it's likely a cache issue on his end still allowing him to select it, I started doing a little experimenting and found that, if you know the theme's ID, you can arbitrarily switch to any theme by editing the ID into an available theme in the User CP or quick select box (e.g. via inspect element or something like Firebug).

Obviously, this requires knowing the correct theme ID but it's trivial to bypass theme permissions once you do. A simple check when setting the theme as well as an automatic reset to default when a user group is removed from the allowed list would likely fix this but I'll leave that end up to you guys.

Thanks for reading and let me know if you need any additional details!

I can confirm this ..

I can confirm this too

Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/1752

Thanks for contributing to MyBB!

Regards,
The MyBB Group

There's apparently more to this than I realized initially. I now have a second member who can suddenly see themes that are hidden from everyone. These hidden themes, for at least these two members, are visible in both the Quick Select and the options page of the User CP.

I'll submit a separate bug report if you'd prefer that but I believe these issues are likely related and figured it might make sense to add here. Thanks!