So, in testing some things on a board I admin for, I noticed something that is problematic.
We have an admin only forum for communications, etc.. No other users allowed in those forums, nor can they even see they exist. Unless they go through the user profiles!
I have discovered that users are able to view an admin profile and click "Find All Posts" or "Find All Threads" and bypass forum settings/permissions and they are able to not only see the titles, excerpt of post, but they can actually click on the post and view/read the post, but they can also click on the Forum name (Admin Notes) and see the entire forum contents.
How can I remove the "Find all posts" and "Find all threads" link in the user profile page? What template do I need to edit? I can't seem to find it!
Next to Total Posts/Total Threads
See this link for user profile example
https://community.mybb.com/user-132509.html
Running latest myBB version.
What permissions are set for that forum for each user group? Does the same happen with plugins disabled?
I do not wish to detract from the opening post but I also wished to remove the ability to search and find all user's posts .... and the user's name!
I wanted to keep Admin completely separate from the forum but in the search .... you can find Admin.
And all their posts .... but to me it is that the Admin Name can be found.
I consider the Name (of the admin) to be a part of securing the forum admin control panel.
I did all recommended and admin does not go on the forum .... but a search can revel the admin username!
Hope this is on topic?
(2021-09-20, 05:00 PM)Devilshakerz Wrote: [ -> ]What permissions are set for that forum for each user group? Does the same happen with plugins disabled?
UPDATE: More issues discovered. Doing a forum search with for an administrator username in the user box and typing in a common word like "the" also allows a user to find/view the post and also the hidden forum.
Currently the only permissions set are custom permissions. NO to everything for every user group EXCEPT administrators and super moderators. "Search Forum" option is also disabled for all user groups.
I have disabled all plugins individually and reattempted. The issue was still present after all plugins were disabled. I have since edited the member profile template and removed the Find posts/threads strings from the template to prevent it anyone from gaining access that way. Also removed searching capabilities for the time being.
I've done all the rebuilding, cache clearing, etc. Could this be a database issue?
This is an interesting one. I will say that even if you remove the link from the profile, someone could still construct a link themselves and bypass this, so the permissions themselves need to be fixed.
I tried to reproduce this on my own community and wasn't able to, as the staff boards were showing only to administrators in search results as expected. I suspect something weird is still going on with the permissions. I do know that MyBB will hide an entire category on the index (along with the boards contained within) if you disable the permissions on that category, but if the individual boards still have default permissions, it will still render posts within those boards if someone links to them directly. if you can screenshot the permissions page for one of the individual boards that is having issues, we can take a look and might be able to help and see what might be going on.
Make sure that registered and guests are both disabled for "view" on every board contained with them. Even if the board isn't displayed on the index (hidden in a parent, etc), MyBB will not consider the posts in that board itself to be off-limits unless it's disabled on each individual board.
After a bunch of trial and error, I did a database restore from a back up and it seemingly fixed the issue. However, out of an abundance of caution I did an export/import onto a new site build with no plugins installed. No issues, and will be reinstalling and activating plugins to ensure this isn't some sort of backdoor built into the plugins.
What's interesting is that we have member lists, viewing who's online, stats, etc. disabled throughout the board. So this was definitely a surprise that these items were still technically accessible using direct links.
We don't have registration enabled for outside persons, all registered users are created manually by admins. All guest/waiting activation user groups have absolutely no permissions.
I am not able to figure out what database issue may have caused such an issue. All of the plugins that we had installed were downloaded from the Extension area here. I am not thinking it was a plugin issue. But definitely strange!