- Affected version
- 2.2.11
XF\Search\Data\Post::getTypePermissionConstraints
checks nodes a user can view, and adds non-viewable nodes to a skip list.However, it doesn't consider the "View thread content" permission. This permission is required when
Thread::canView
is called for each thread to prune non-viewable threads on display, as such should be just excluded entirely from the query.