http://www.icyphoenix.com/viewtopic.php?f=29&t=203 ----------------------------------- Eradicator Mon 28 Aug, 2006 19:27 [BUG] Topic_view_users.php And Permissions ----------------------------------- In topic_view_users.php users should not have access to view topics' views of unauthorized topics (unauthorized forums). But actually users, also without forum (so topic) permissions, can see every topics's views. I think it's a bug. If I protect a forum, I want to prevent any action on it, not only the view_forum or view_topic. Can MG make a patch for it? Thanks! :wink: ----------------------------------- Eradicator Mon 28 Aug, 2006 19:32 Re: [BUG] Topic_view_users.php And Permissions ----------------------------------- Another related "bug", if we want to consider this a bug: If another user is viewing che topic_view_users.php page, and I see his action on viewonline.php, the link of that action is only the url to the "topic_view_users.php" without any topic_id. So, it should be "topic_view_users.php?t=XXXX". Where XXXX is the related topic ID. ----------------------------------- AvrilBoi Mon 28 Aug, 2006 19:35 Re: [BUG] Topic_view_users.php And Permissions ----------------------------------- But the user will just know the users who have seen *a* topic, but will never know which is this topic that those users have seen :roll: ----------------------------------- ganesh Mon 28 Aug, 2006 19:41 Re: [BUG] Topic_view_users.php And Permissions ----------------------------------- I can't follow the both of you... :mrviolet: ----------------------------------- Eradicator Mon 28 Aug, 2006 19:42 Re: [BUG] Topic_view_users.php And Permissions ----------------------------------- Yes, I know it. But I think it should not be possible in a correct and accurate permissions policy. ----------------------------------- Eradicator Mon 28 Aug, 2006 19:46 Re: [BUG] Topic_view_users.php And Permissions ----------------------------------- [quote user="ganesh" post="1623"]I can't follow the both of you... :mrviolet:[/quote] Try to go to these links: ID1=ID of a public topic ID2=ID of a topic in a protected forum that you cannot view because you have not any permissions /topic_view_users.php?t=ID1 /topic_view_users.php?t=ID2 You can see the page for both the link! For the first link is correct. For the second link, in my opinion, should be considered that users have not access to that forum (so that topic). It's wrong to let them to see any kind of information about protected topic. ----------------------------------- AvrilBoi Mon 28 Aug, 2006 19:47 Re: [BUG] Topic_view_users.php And Permissions ----------------------------------- [quote user="Eradicator" post="1624"]Yes, I know it. But I think it should not be possible in a correct and accurate permissions policy.[/quote] Yes, that's true. [quote user="ganesh" post="1623"]I can't follow the both of you... :mrviolet:[/quote] What don't you understand exactly? ----------------------------------- ganesh Mon 28 Aug, 2006 19:54 Re: [BUG] Topic_view_users.php And Permissions ----------------------------------- I see... but... If only admin or moderators are allowed to post there... I don't know why a user has to guess the id for a protected topic to discover that the topic itself has been viewed by mods and admins... Guests can't see anything... I can't follow... :? ----------------------------------- Eradicator Mon 28 Aug, 2006 20:07 Re: [BUG] Topic_view_users.php And Permissions ----------------------------------- A kind of SQL injection. It's not dangerous, but now it's allowed. It should be shown a standard page "You have not access to this page". ----------------------------------- Eradicator Mon 28 Aug, 2006 20:12 Re: [BUG] Topic_view_users.php And Permissions ----------------------------------- There is another thing related both on topic_view_users.php and viewonline.php. If a user is in topic_view_users.php and I am viewing viewonline.php, what users are doing, I see the row: USER XXXXX Viewing Topic's views. The phrase "Viewing Topic's view" is linked to the page topic_view_users.php without the value [b]t[/b] sent by GET. So, if I click on that link (without the [b]t[/b] value) I receive an SQL error) ----------------------------------- Mighty Gorgon Mon 28 Aug, 2006 23:53 Re: [BUG] Topic_view_users.php And Permissions ----------------------------------- I've fixed this... ----------------------------------- Eradicator Tue 29 Aug, 2006 20:03 Re: FIXED -[BUG] Topic_view_users.php And Permissions ----------------------------------- Great! :wink: