Previous Thread
Next Thread
Print Thread
Hop To
Anonymous
Unregistered
Anonymous
Unregistered
Just noticed by one of our mods last night...

Any logged in member can view recient posts and see the titles of any posts made by moderators and adminisrators in our private forums.

This wouldn't be so bad other than we generally post admin topics such as:

'JoeHacker (0006734) Pirate???'

In our failing attempt to keep our forums clean of trash. Sometimes we are wrong about these things, most of the time we are right, but we post these things to make sure all the signs are there before just kicking someone from the server.

IF users found out about this, we could have quite a few pissed off users...

Is this happening to anyone else?

[This message was edited by Charles Capps on August 19, 2002 at 10:21 AM.]

Anonymous
Unregistered
Anonymous
Unregistered
Which version are you running?

You're referring to the "view recent posts" link when viewing someone's profile?

Anonymous
Unregistered
Anonymous
Unregistered
Good catch, I think the following in public_user_posts.pl fixes it: Find:<pre> next unless $user_permissions->has_permission("forum", "view", $f);</pre>Replace with:<pre> next unless $user_permissions->has_permission("forum", "view", $f) == 1;</pre>

Anonymous
Unregistered
Anonymous
Unregistered
I'm not sure if that's the correct fix (UBB::SecurityToken::has_permission() is not easy to understand), but there are other places in the script where has_permission() is checked in a similar manner. Those could have the same problem (if it is a problem).

Anonymous
Unregistered
Anonymous
Unregistered
Doh! Thought it was obvious that I was using the latest version as it just came out yesterday <img src="https://www.ubbcentral.com/boards/images/graemlins/tongue.gif" alt="" /> I yell at my own users for not stating the obvious because most of the time what ya think is the obvious ain't <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" />

Anywho, yeah, when you go to user profile and check latest posts, you'll see some of these. It doesn't show up in Todays Active Topics or other searches, but it does show up there.

LK -- I'm going to see if your hack works...we've gone back and changed all the private admin message titles, but this might help so if we forget <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" /> Thanks!

clif

Anonymous
Unregistered
Anonymous
Unregistered
Oops, instead of == 1, make it > 0...
<pre> next unless $user_permissions->has_permission("forum", "view", $f) > 0;</pre>

Anonymous
Unregistered
Anonymous
Unregistered
has_permission can only return -2, -1, 0, undef, 1, 2, 3, and 4 when called for forum access. -2, -1, 0, and undef should all be false values for the unless check, which makes the > 0 bit a bit redundant...

clif, please open a support ticket (link in my sig)... include ATTN: Charles in the body, along with this URL:

http://community.infopop.net/6/ubb.x?a=tpc&s=729094322&f=1863088313&m=1083036725

--
Charles Capps
UBB.classic™ Developer
Having problems? Open up a support ticket!

Anonymous
Unregistered
Anonymous
Unregistered
Quote
-2, -1, 0, and undef should all be false values for the unless check, which makes the > 0 bit a bit redundant...
Hmmmm ... but aren't -2 and -1 interpreted as "true" in Perl?

I thought that the only expressions interpreted as false were undef, 0, "0", "" (empty string) and () (empty list).

Anonymous
Unregistered
Anonymous
Unregistered
Dave is correct. Same bug also occurs in all other forums.

Anonymous
Unregistered
Anonymous
Unregistered
I would *love* to know when this issue has been resolved so I can update from 6.2.x <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" />

Anonymous
Unregistered
Anonymous
Unregistered
Posted in error. Disregard.

Anonymous
Unregistered
Anonymous
Unregistered
As requested, I put in a support ticket though I'd imagine it would only be there to get into your to-do list as LK's fix works perfectly.

Thanks LK!

Anonymous
Unregistered
Anonymous
Unregistered
Gargh. Mixed logic. <img src="https://www.ubbcentral.com/boards/images/graemlins/frown.gif" alt="" />

--
Charles Capps
UBB.classic™ Developer
Having problems? Open up a support ticket!

Anonymous
Unregistered
Anonymous
Unregistered
Same bug in ubb_search.cgi:<pre> if($user_permissions->has_permission('forum', 'view', $vars_forums{$number}->[8]) > 0) {</pre><pre> (!$username &#0124;&#0124; !$user_permissions &#0124;&#0124; $user_permissions->has_permission('forum', 'view', $in{search_forum}) < 0 )) {</pre><pre> next unless $user_permissions->has_permission("forum", "view", $number) > 0;</pre>

Anonymous
Unregistered
Anonymous
Unregistered
grep found "has_permission" in the following files:

cgi-binubb_lib_pntf.cgi:
cgi-binubb_lib_secgroups.cgi:
cgi-binubb_poll.cgi:
cgi-binubb_profile.cgi:
cgi-binubb_search.cgi:
noncgiTemplatespublic_avatar_select.pl:
noncgiTemplatespublic_edit_profile.pl:
noncgiTemplatespublic_user_posts.pl:

I'd suggest checking all of them. <img src="https://www.ubbcentral.com/boards/images/graemlins/wink.gif" alt="" />

Anonymous
Unregistered
Anonymous
Unregistered
Double post :/

Anonymous
Unregistered
Anonymous
Unregistered
Cool, so it IS possible to check if the user can access forum page in PNTF!! <img src="https://www.ubbcentral.com/boards/images/graemlins/tongue.gif" alt="" /> <pre> } elsif(((exists $in->{f}) && ($in->{f} =~ m/^d+$/) && (ref($perms) =~ m/UBB::SecurityToken/) && (!$perms->has_permission("forum", "view", $in->{f}))) &#0124;&#0124; ((exists $in->{f}) && ($in->{f} =~ m/^d+$/) && (!exists $self->{VARSFORUMS}->{$in->{f}}))) {</pre>should be <pre> } elsif(((exists $in->{f}) && ($in->{f} =~ m/^d+$/) && (ref($perms) =~ m/UBB::SecurityToken/) && ($perms->has_permission("forum", "view", $in->{f}) <= 0)) &#0124;&#0124; ((exists $in->{f}) && ($in->{f} =~ m/^d+$/) && (!exists $self->{VARSFORUMS}->{$in->{f}}))) {</pre>

BTW, ubb_search.cgi shoulda had <=0, not < 0 <img src="https://www.ubbcentral.com/boards/images/graemlins/tongue.gif" alt="" />

Anonymous
Unregistered
Anonymous
Unregistered
Fixed in the next release.

--
Charles Capps
UBB.classic™ Developer
Having problems? Open up a support ticket!


Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
1 members (Ruben), 476 guests, and 111 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)