#3505 - Access rights for forum block are incorrect
-
By Adam Edington
- Added
- 0 views
| Identifier | #3505 |
|---|---|
| Issue type | Minor issue (breaks specific functionality) |
| Title | Access rights for forum block are incorrect |
| Status | Completed |
| Handling member | Chris Graham |
| Addon | General / Uncategorised |
| Description | I am seeing topic titles for topics I have no access to view. As these titles may not be intended for viewing for those without access rights then I thought I should bring this to your attention 1) because this could be considered a leak of information if not intended 2) because this may be an issue with the block rather than an incorrect permission setting and the same issue may be present in the release version. |
| Steps to reproduce | |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
(Click to enlarge)
"The name of the forum from which to display news. May be a comma-separated list. Using forum IDs instead of names is more efficient. Default: 'Announcements'. Note: do not refer to a restricted forum or your security will be eroded."
Is this main_forum_news or main_forum_topics?
You were using main_forum_topics
That block did not contain the note about permission leakage.
Never-the-less, the block was designed to work like this.
It goes through the forum driver system, which doesn't support forum permissions.
It would be good to add support for forum permissions specifically for Conversr users, however that is a feature request. I'll add a note to the issue about making permissions optional for blocks, as it ties in well.