miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Search | Statistics | Manual |
Bugs miniBB Support Forums / Bugs /   

Moderators can edit posts from the disallowed forum

Author Prince
Registered
#1 | Posted: 9 Jul 2012 02:53 | Edited by: Prince 
Hello,

One of my Moderators discovered something for editing posts!

For example if we have two forums with these IDs: 1 and 2

This user is just moderator of forum with number 1, but he still can edit posts in forum number 2 even he doesn't have access to that forum!
What he does is like this: he goes in his forum and opens a topic try to edit it then a link appears like this:

http://forum_url/index.php?action=editmsg&topic=5850&forum=1&post=355376&page=1&anchor=355376

So if he wants to edit a posts in a topic in forum 2 he just needs to put posts number in the link I made it bold then he can edit it!

Is there any way to prevent such things? because if he is not moderator of a forum so he should not can edit a post in that forum.

Hope you understand what I mean! :)

Thanks

Author Paul
Lead Developer
#2 | Posted: 9 Jul 2012 16:13 
I'm not sure this is a bug - could you repeat the same on our demo version?

Author Prince
Registered
#3 | Posted: 9 Jul 2012 18:38 
Paul:
I'm not sure this is a bug - could you repeat the same on our demo version?

Yes I could change this post with this ID:"zxc" in Everything forum that "zxc" ID. zxc doesn't have access to Everything but I could edit that post!

Even move or delete that just with changing the number of it.

Author Paul
Lead Developer
#4 | Posted: 9 Jul 2012 19:18 
Ok... I suppose the bug is the following: if we substitute the proper forum ID in the editing request, i.e. the forum ID of the forum which moderator has been assigned to, then the message could be still edited... right? It appears to work so on my end... Because if I edit the message with its original forum ID which moderator is not assigned to, the message is not allowed to edit.

Author Prince
Registered
#5 | Posted: 9 Jul 2012 19:27 
Paul:
Ok... I suppose the bug is the following: if we substitute the proper forum ID in the editing request, i.e. the forum ID of the forum which moderator has been assigned to, then the message could be still edited... right?

Exactly.. The forum ID is that they have access they just change posts or topic numbers! :)

Author Prince
Registered
#6 | Posted: 10 Jul 2012 00:26 
So is there anyway to prevent that?

Author Paul
Lead Developer
#7 | Posted: 10 Jul 2012 21:57 | Edited by: Paul 
Prince:
The forum ID is that they have access they just change posts or topic numbers!

I think otherwise... they copy topic/forum/post IDs to edit and then substitute "their" allowed forum ID. At least this is the way I did it on my own.
There is certainly a fix, and I'll try to look at it ASAP. The problem is in index.php, where $isMod is assigned... but it needs some time for me to think about it deeper, as it appears to be not an easy fix. I hope to come with the solution soon.

Thanks for this report!

(The bug has been fixed in miniBB 3.0.3).

Bugs miniBB Support Forums / Bugs / Moderators can edit posts from the disallowed forum Top
This topic is closed. New replies are not allowed.
 
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Get the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB