On our forum, we have a Moderator Forum that's only visible to Administrators, Global Moderators, and Moderators. Except there's a problem with that. Even as a Guest I can view posts in the Moderator Forum.

I can demonstrate this to you easily. Go to this thread: https://www.stovebolt.com/ubbthreads/ubbthreads.php/topics/1288422/new-addition.html#Post1288422

The Moderator in this thread is Achipmunk. Click on his Display Name, then select Show Forum Posts. From the dropdown list of his posts, select one in the Moderator Forum.

Click on it. You'll be viewing a thread in the Moderator Forum.

Now scroll to the top and click on Moderator Forum in the breadcrumbs.

You'll be taken to a login page and told you don't have permission to see this as a guest.

Click on Previous Page and you'll go right back to the forum you don't have permission to view.

This seems like a loophole in the code. A quick and dirty way to fix it would be to never display posts for a prohibited forum in the Posts list, but that ISTM doesn't really fix the problem.

The real problem is that you should not be allowed to view a post if you don't have permission to view it no matter how you arrived at it. If I send you the link to the post directly, you can view it as a Guest, without having to go through the above steps. So it appears that permissions are not being verified before viewing posts.


The Stovebolt Geek
http://www.stovebolt.com/ubbthreads/ubbthreads.php

UBBThreads 7.7.3
Web Server Apache/2.4.37
PHP Version 7.2.19
MySQL Version 5.6.38
Database Size 2.23 GB