2011-06-09, 11:24 PM
I setup a forum. With add-on installed, where guest can't view threads.
Other than that, I set manual permissions to categories and forums where guests and awaiting activation users have no access or limited access. Only registered members can view all threads, as set to the permission....
Now I discovered about portal. When I open up portal, all of my custom permissions became useless. Via portal, all is visible. All posts, all categories, all forums, can be viewed via portal. What I did? I deleted portal.php and add a redirection to my .htaccess that redirects any non existing page to main forum. If someone tries to access portal.php, which does not exist, it redirects to the main forum.
I thought that was enough...
Now I discovered about RSS Syndication. This time, it's just like portal.php where all posts, on protected categories and forums are visible. My custom permission settings is useless if users try to view via RSS syndication. Everything is there. Regardless of permission, everything is visible.
Is this a security flaw? Or just misconfiguration?
Other than that, I set manual permissions to categories and forums where guests and awaiting activation users have no access or limited access. Only registered members can view all threads, as set to the permission....
Now I discovered about portal. When I open up portal, all of my custom permissions became useless. Via portal, all is visible. All posts, all categories, all forums, can be viewed via portal. What I did? I deleted portal.php and add a redirection to my .htaccess that redirects any non existing page to main forum. If someone tries to access portal.php, which does not exist, it redirects to the main forum.
I thought that was enough...
Now I discovered about RSS Syndication. This time, it's just like portal.php where all posts, on protected categories and forums are visible. My custom permission settings is useless if users try to view via RSS syndication. Everything is there. Regardless of permission, everything is visible.
Is this a security flaw? Or just misconfiguration?