Not a bug Reports Bug

Crush

Crush

Member
When a user reports content that is in a hidden node only accessible to users in Usergroup A, users in Usergroup B will be able to see the thread content. Users in Usergroup A are Administrators, users in Usergroup B are Moderators. In this example, both should have access to the Reports Queue.

This seems like a very uncommon use case, but it seems since there are no permissions checks hidden information could be exposed this way.
 
Can you verify this with accounts matching your description with add-ons disabled? The report center already handles permission checks and a user will only see what he has permission to see.
 
I fixed this one. It was because the Permissions were not all set to Revoke in the Node Everything but View Node was set to Inherit from the Category. Users in the group could not view the node, but in certain cases (like the Reports) could see the thread content.
 

Similar threads

Mouth
  • Suggestion Suggestion
Find Reports by Author / Reporter
Replies
0
Views
28
Mouth
Mouth
Naz
Rosters and Personnel Status Reports [Paid]
Replies
1
Views
65
Naz
Naz
B
  • Question Question
XF 2.3 What action constitutes an active user per reports?
Replies
0
Views
17
briansol
B
btmgreg
Bug Reports 'Housekeeping'
Replies
1
Views
314
btmgreg
btmgreg
BlueGreen91
  • Question Question
XF 2.2 Red notification dot for queue/reports and global mods
Replies
0
Views
73
BlueGreen91
BlueGreen91
Back
Top Bottom