• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed Prefix permissions not checked in search form

#1
Hi,
even if you limit some prefixes to hidden forums and/or closed usergroups
they are still visible to everyone by using the search form:
http://xenforo.com/community/search/?type=post

This is because in Post.php, line 318:
PHP:
$viewParams['prefixes'] = XenForo_Model::create('XenForo_Model_ThreadPrefix')->getPrefixesByGroups();
getPrefixesByGroups() is called without conditions to limit results.


Regards Opik
 
#2
Hello Opik,

Edit: 25032013-1800

don't try this. :p


PHP:
  public function getPrefixesByGroups(array $conditions = array(), array $fetchOptions = array(), &$prefixCount = 0)
    {
 
    $this->standardizeViewingUserReference($viewingUser);
        $prefixes = $this->getPrefixes($conditions, $fetchOptions);
        $prefixGroups = array();
        foreach ($prefixes AS $prefix)
    {
      if ($this->_verifyPrefixIsUsableInternal($prefix, $viewingUser))
        {
            $prefixGroups[$prefix['prefix_group_id']][$prefix['prefix_id']] = $this->preparePrefix($prefix);
        }
    }
        $prefixCount = count($prefixes);
        return $prefixGroups;
 
  }
 

Mike

XenForo developer
Staff member
#3
That fix is not correct. "Usable" and "visible" prefixes are different.

I have this fixed for 1.1.4: before listing prefixes in the search system, we check that they're in a forum you can view.
 
#4
Hey that is pretty fast :)

I thought if a prefix is not usable for a user he doesn't have to view. :)

It was just a try und it make what it should... i think.

Thanks for fixing.