Fixed Prefix permissions not checked in search form

Opik · Mar 24, 2013

Hi,
even if you limit some prefixes to hidden forums and/or closed usergroups
they are still visible to everyone by using the search form:
http://xenforo.com/community/search/?type=post

This is because in Post.php, line 318:

PHP:

$viewParams['prefixes'] = XenForo_Model::create('XenForo_Model_ThreadPrefix')->getPrefixesByGroups();

getPrefixesByGroups() is called without conditions to limit results.

Regards Opik

orgetorix · Mar 24, 2013

Hello Opik,

Edit: 25032013-1800

don't try this.

PHP:

  public function getPrefixesByGroups(array $conditions = array(), array $fetchOptions = array(), &$prefixCount = 0)
    {
 
    $this->standardizeViewingUserReference($viewingUser);
        $prefixes = $this->getPrefixes($conditions, $fetchOptions);
        $prefixGroups = array();
        foreach ($prefixes AS $prefix)
    {
      if ($this->_verifyPrefixIsUsableInternal($prefix, $viewingUser))
        {
            $prefixGroups[$prefix['prefix_group_id']][$prefix['prefix_id']] = $this->preparePrefix($prefix);
        }
    }
        $prefixCount = count($prefixes);
        return $prefixGroups;
 
  }

Mike · Mar 25, 2013

That fix is not correct. "Usable" and "visible" prefixes are different.

I have this fixed for 1.1.4: before listing prefixes in the search system, we check that they're in a forum you can view.

orgetorix · Mar 25, 2013

Hey that is pretty fast

I thought if a prefix is not usable for a user he doesn't have to view.

It was just a try und it make what it should... i think.

Thanks for fixing.

Fixed Prefix permissions not checked in search form

Opik

Member

orgetorix

Member

Mike

XenForo developer

orgetorix

Member

Similar threads

We value your privacy