Fixed Deleted users will have their threads revealed to the public

[Externalizable]

Affected version

XenForo 2.2.9

Hey,

It has come to our attention that deleted users will have their threads posted to private forums revealed to the public.
This behavior does not seem intended. Naturally, deleted members should have their posts protected, even after account deletion.

Steps to reproduce:

1. Create a private forum with the "View threads by others" permission set to "No" for all user groups
2. A user creates a new thread in the aforementioned private forum
3. This new thread can not be viewed by other registered users or guests
4. The user is deleted
5. The new thread is now visible to guests, but not to other registered users

It should be noted that, in order to exploit this bug, e.g. to collect potential privately shared information posted to this private forum, the attacker must know the thread id.
However, given that thread ids are incremental, this is easily accomplished with a simple crawling script.

We have temporarily fixed this issue by extending XFCP_Thread preDispatchType:

protected function preDispatchType($action, ParameterBag $params)
{
    /** @var \XF\Entity\Thread $thread */
    $thread = \XF::finder('XF:Thread')->where('thread_id', $params['thread_id'])->fetchOne();
    if ($thread) {
        if (!$thread->user_id && !\XF::visitor()->user_id) {
            throw $this->exception(
                $this->plugin('XF:Error')->noPermission()
            );
        }
    }
    parent::preDispatchType($action, $params);
}

This code throws a "No permission" exception if a guest visitor is trying to view a thread created by user_id 0, which the deleted user will be at the time of page load, fixing this bug. We do not utilize the "Enable writing before registering" feature which I believe breaks with this hotfix.

Tested using a fresh vanilla XenForo installation.

Please let me know if I can provide any more details. Thanks!

Forum permissions:


Thread as seen by an Administrator:


Thread as seen by a guest in incognito mode:

 

[Kirby]

Might be unexpected, but I am pretty sure that this is actually working as designed.

Can view threads by others doesn't block guests from viewing threads posted by guests - if it did it would effectively block access completely for guests.

 

[FTL]

This looks like a great find of this nasty bug. It's obvious that a private thread should stay private, even with a deleted user.

 

[Mendalla]

Instead of setting View Threads by Other to No for Unregistered, I set View Node to Never for a forum that I wanted to keep private. So they don't even know the node exists. Or do you want them to see it in the forum list for some reason?

 

[Mendalla]

That said, yeah it looks like a bug. My approach just mitigates it.

 

[Externalizable]

Might be unexpected, but I am pretty sure that this is actually working as designed.

Can view threads by others doesn't block guests from viewing threads posted by guests - if it did it would effectively block access completely for guests.

Thanks for the input! I see where you're coming from, but deleted users aren't guests–they were registered users at some point. As a deleted user I would expect to retain the same level of privacy I had when I was a registered user.

Instead of setting View Threads by Other to No for Unregistered, I set View Node to Never for a forum that I wanted to keep private. So they don't even know the node exists. Or do you want them to see it in the forum list for some reason?

Thank you for the suggestion–you are indeed correct, this does fix the issue, but makes it impossible for users to post to the private forum because they obviously can't see it now.

There are some real-world applications for private forums where users can create new threads and view replies to their thread, such as "Ban appeals" for banned users who don't want their reasoning for an unban or the response from a staff member to be visible to the public.

Technically there are some other workarounds, such as using private conversations with staff members, but we're happy using the hotfix mentioned above for the time being.

 

[Kirby]

Thanks for the input! I see where you're coming from, but deleted users aren't guests–they were registered users at some point.

Technically they are guests after the account has been deleted, so there is no difference between a thread originally created by a guest and a thread originally created by a registered user that got deleted.

As a deleted user I would expect to retain the same level of privacy I had when I was a registered user.

IMHO this isn't really possible.

Think of an Add-on that allows users to block users they are ignoring from accessing there threads.
When the account gets deleted, the information about ignored users (which is linked to the account) gets deleted as well.
This in turn would allow previously ignored users to access the threads.

 

[Externalizable]

Technically they are guests after the account has been deleted, so there is no difference between a thread originally created by a guest and a thread originally created by a registered user that got deleted.


IMHO this isn't really possible.

Think of an Add-on that allows users to block users they are ignoring from accessing there threads.
When the account gets deleted, the information about ignored users (which is linked to the account) gets deleted as well.
This in turn would allow previously ignored users to access the threads.

You're thinking like a developer, I'm thinking like an end-user.

As an end-user, I would not want my previously private threads to become public to all guests upon account deletion, regardless of the software's code complications. This is something that members of the forum I'm administering will unanimously agree with because of how we utilize private forums.

I'm sure the XenForo team would find a decent solution for this should they want to go the route of tackling this issue. Even if the XenForo team doesn't want to fix this issue, we found a solution that works for our forum, so I think everyone will be happy in the end.

 

[Anatoliy]

Technically they are guests after the account has been deleted,
so there is no difference between a thread originally created by a guest and a thread originally created by a registered user that got deleted.

true. but.
if my bank would close my account or my doctor or lower would stop "our relations", there would be no difference any more for them between me and all those people who never were their clients.
but it doesn't mean that they would not got in a judge court if they reveal my personal information, that I passed them when I was their client.
right?

 

[Hoffi]

The sulution would be, to have a user "Deleted" and on deleting a user, merge them.

But I understand this issue, that should not be visible for the public. Can't this be solved with "view node" settings?

Or, set for guests the view_by_others to never.

 

[Mendalla]

Thanks for the input! I see where you're coming from, but deleted users aren't guests–they were registered users at some point. As a deleted user I would expect to retain the same level of privacy I had when I was a registered user.


Thank you for the suggestion–you are indeed correct, this does fix the issue, but makes it impossible for users to post to the private forum because they obviously can't see it now.

There are some real-world applications for private forums where users can create new threads and view replies to their thread, such as "Ban appeals" for banned users who don't want their reasoning for an unban or the response from a staff member to be visible to the public.

Technically there are some other workarounds, such as using private conversations with staff members, but we're happy using the hotfix mentioned above for the time being.

Huh? That should only affect unregistered/guest. Registered users should not be affected by it. Which is how it is working in my private forum. Unregistered don't see it, registered can post as usual.

 

[mjda]

Are you letting guests post in this forum? If not, why not just block access to guests/unregistered?

If so, all guests can see each other's posts already.

That's how, I'd assume, it's expected to work.

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.12).

Change log:

Fix accidentally exposing thread content to guests without the "View threads by others" permission when the thread starter's account has been deleted

There may be a delay before changes are rolled out to the XenForo Community.