Not a bug Bug on Tapatalk or Xenforo?

[dbembibre]

Affected version

1.5.13

Hi,

Tapatalk users can see alerts if someone quote his messages throught private forum.

The alert only show in Tapatalk. Not in web browser.

It's easy reproduce it. Create a new Xenforo user (xenforo-user) and login throught Tapatalk. Next, On Xenforo create a private forum, and make a quote of the new user.

The new user can see the new alert ("user X quote on name of the private forum") on Tapatalk.

Guys ........... this is a BIG privacity bug.

I'll contact Tapatalk to advise them.

Best regards,

 

[Chris D]

Our code definitely doesn’t work like that so you would need to raise that with TT in the first instance.

 

[dbembibre]

Well .............. If the alerts is showing in user account means that Xenforo permit (to Tapatalk) access to this acction (done in private forum), and show alert and post title to user.

Im not sure all responsability are in TT side.

 

[Ozzy47]

It is not up to XF to police what parts of the software third parties extend incorrectly.

 

[dbembibre]

It is not up to XF to police what parts of the software third parties extend incorrectly.

Sure!!! But In some way, the xenforo code allows it.

 

[Ozzy47]

If the app is not checking permissions correctly, there nothing XF can do to prevent it.

 

[Chris D]

It may be that XF sends the alert, but as above, the third party code should be making sure the user has permission to view it before showing it (which is what the XF absolutely does). Aside from permissions there are many other things that need to be checked, including whether or not the user has opted out of specific alerts in their preferences, and whether the alert is from a user they ignore, etc.

 

[dbembibre]

It may be that XF sends the alert

May be? Sure!!! XF send the alert joined post title. So, the user can see alert + post title (that should be private) -on TP-.

 

[Ozzy47]

It’s on TapaTalk to check the permissions.

 

[Chris D]

I just double checked the code. We don't send an alert in this case:

if (!$userModel->isUserIgnored($user, $post['user_id'])
   && XenForo_Model_Alert::userReceivesAlert($user, 'post', 'quote')
   && $this->canViewPostAndContainer($post, $thread, $forum, $null, $permissions, $user)
)
{
   $quotedUsers[$userId] = true;

   XenForo_Model_Alert::alert($userId,
      $post['user_id'], $post['username'],
      'post', $post['post_id'],
      'quote'
   );
}

The part I highlighted in red checks if the user the alert is being sent to can actually view the post where they are quoted.

So if that alert is still being sent then a) either TT or some other add-on is overriding our logic here and b) TT is still in the wrong for not checking the permissions anyway.

 

[dbembibre]

@Chris D just install TT and reproduce it. As I said, It's easy. I understand XF dont send the alert, but in someway permit others apps send it, and in these alerts are private information (as the post title).

I'm still waiting TT answers.

Thanks for you support.