MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.4 > MyBB 1.4 General Support > Member accessing hidden forum?
Full Version: Member accessing hidden forum?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

farleyq

2009-03-12, 02:09 PM
Hi guys,

Want to help me unravel a mystery? I have a hidden forum viewable and postable only to admins. Last night I looked on the WOL complete list and it showed a registered member "posting reply" to a thread on our hidden forum! I went and checked the settings and they are correct - members are denied access to that forum. I also checked that thread to make sure it was in the hidden forum. It is.

Then later, whe WOL list said this same user was posting a reply to a thread in a forum that everyone has access to, but when I went there, it did not show the user as being there (we have set it to where it shows what users are on each forum). Does anyone have a clue about this or has it happened to you? This is important to me to guarantee the security of our site.

Thanks so much, everyone, for your patience with my questions. You guys are great! Heart

Ryan Loos

2009-03-12, 02:14 PM
I know sometimes that if a user goes to a link it will show that they are performing an action, even though they're actually viewing a no permissions page.
But it sounds to me like they wouldn't have even been able to see a link to the thread.

Why not make a test account with the same user group and other permissions as the user you saw 'posting a reply' to your hidden thread? Smile

farleyq

2009-03-12, 03:06 PM
(2009-03-12, 02:14 PM)Ryan Loos Wrote: [ -> ]I know sometimes that if a user goes to a link it will show that they are performing an action, even though they're actually viewing a no permissions page.
But it sounds to me like they wouldn't have even been able to see a link to the thread.

Why not make a test account with the same user group and other permissions as the user you saw 'posting a reply' to your hidden thread? Smile


Great idea! I did create a test account and there is no link to the hidden forum.

You are correct about a user going to a certain location and not actually able to view the page. It does show that they are viewing the page when they're really not. But what bothers me about this is that this member would not have even been able to be at the hidden forum at all. Huh

Matt

2009-03-12, 04:40 PM
I've seen members, guests, and even Googlebots replying to a thread in our staff forum here when I look at the WOL, very weird. There is a bug in 1.4.4, meaning that when a user is seeing a No Permissions Page, the WOL will show the actual page they are trying to view (meaning the hidden thread/forum) - in 1.4.5, the location will show as 'Viewing No Permissions page'. So, that's all they're seeing Smile

farleyq

2009-03-12, 05:13 PM
(2009-03-12, 04:40 PM)MattRogowski Wrote: [ -> ]I've seen members, guests, and even Googlebots replying to a thread in our staff forum here when I look at the WOL, very weird. There is a bug in 1.4.4, meaning that when a user is seeing a No Permissions Page, the WOL will show the actual page they are trying to view (meaning the hidden thread/forum) - in 1.4.5, the location will show as 'Viewing No Permissions page'. So, that's all they're seeing Smile

Well that's good the location showing will be more accurate in 1.4.5. I do understand that when someone clicks on a link that has been restricted, (such as member list), it will show they are accessing that page when in actuality they are seeing a no permissions page. But I still don't understand how this user could have shown up in our hidden forum at all, since the forum is not even viewable by members? They wouldn't have even been trying to view that page because they wouldn't have a forum to click on, kwim?

Do you think this is a bug as well?

Matt

2009-03-12, 05:17 PM
That's exactly what I think, there's a bug in the WOL. I don't think they were on that link at all.

I idle on the WOL a lot, and I see people that I know are doing one thing, but the WOL shows something else. I know this happens as I have asked people where they actually are, and the WOL said something different. It seems that if someone is actually viewing that thread or forum, a guest or another member will also show up as viewing it... I have no idea how to reproduce so can't make a bug report but I know for a fact something isn't right with it.

farleyq

2009-03-12, 05:46 PM
A bug is a bug is a bug. Toungue

Well you have eased my mind from thinking we've had a security breech. It is wierd, though. I'll just put it in the bug column and forget it for now. Cool

Thanks again for your help and quick response! Heart
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.4 > MyBB 1.4 General Support > Member accessing hidden forum?