The forum permissions are not applied on the stats page. The tables "Most Replied To Threads" and "Most Viewed Threads" can contain threads from forums a user has no permission to see.
Fix: Open stats.php and search for (2x!):
if(!in_array("'{$thread['fid']}'", $unviewableforumsarray))
Replace with (2x!):
if(!in_array($thread['fid'], $unviewableforumsarray))
/**
* Get a list of the unviewable forums for the current user
*
* @param boolean Set to true to only fetch those forums for which users can actually read a thread in.
* @return string Comma separated values list of the forum IDs which the user cannot view
*/
function get_unviewable_forums($only_readable_threads=false)
{
global $forum_cache, $permissioncache, $mybb, $unviewableforums, $unviewable, $templates, $forumpass;
$pid = intval($pid);
if(!$permissions)
{
$permissions = $mybb->usergroup;
}
if(!is_array($forum_cache))
{
cache_forums();
}
if(!is_array($permissioncache))
{
$permissioncache = forum_permissions();
}
foreach($forum_cache as $fid => $forum)
{
if($permissioncache[$forum['fid']])
{
$perms = $permissioncache[$forum['fid']];
}
else
{
$perms = $mybb->usergroup;
}
$pwverified = 1;
if($forum['password'] != "")
{
if($mybb->cookies['forumpass'][$forum['fid']] != md5($mybb->user['uid'].$forum['password']))
{
$pwverified = 0;
}
}
if($perms['canview'] == 0 || $pwverified == 0 || ($only_readable_threads == true && $perms['canviewthreads'] == 0))
{
if($unviewableforums)
{
$unviewableforums .= ",";
}
$unviewableforums .= "'".$forum['fid']."'";
}
}
return $unviewableforums;
}
You'll notice it returns it in a format like '1','2','3','4'
And when we explode it to an array it looks like:
Array(
'1',
'2',
'3',
'4'
)
So your fix doesn't work